Flaws in Cinterion modems hit several critical infrastructure sectors

Severe security flaws were uncovered in Cinterion mobile modems, including critical flaws that allow distant code execution and unauthorized privilege escalation, posing excellent challenges to Internet of Factors (IoT) gadgets extensively located in the industrial, healthcare, automotive, economic and telecom sectors.

In a May 10 site article, Kaspersky ICS CERT explained CVE-2023-47610, a heap overflow vulnerability inside of the modem’s SUPL message handles, was the most alarming bug.

The researchers mentioned the flaw lets remote attackers execute arbitrary code via SMS, granting them unprecedented obtain to the modem’s functioning process. This sort of access also lets attackers manipulate RAM and flash memory, growing the likely to seize comprehensive manage in excess of the modem with no authentication.

“The vulnerabilities we uncovered, coupled with the prevalent deployment of these devices in various sectors, highlight the probable for comprehensive world disruption,” claimed Evgeny Goncharov, head of Kaspersky ICS CERT. “These disturbances array from economic and operational impacts to basic safety troubles.”

Cinterion modems are used in the provide chain of quite a few IoT units to permit data accessibility by cellular interaction, defined Jason Soroko, senior vice president of merchandise at Sectigo. Soroko claimed the vulnerabilities that are staying described are typically about flaws in memory management that could lead to unauthorized code execution, but not just for attackers in bodily possession of the machine. 

“There’s also a distant attack likely by way of a cautiously crafted SMS information,” reported Soroko. “These are the best priority vulnerabilities that businesses and security teams require to be aware of.”

John Gallagher, vice president of Viakoo Labs, mentioned that Cinterion mobile modems join almost everything from municipal recycling cans to h2o command units to health care to private LTE/5G networks within enterprises. 

“These vulnerabilities have the probable to disable or disrupt the functions of IoT/OT programs and give risk actors obtain to data current in the process,” said Gallagher. “Threat actors obviously can use modem accessibility to also watch visitors and notice operational styles.

Gallagher additional that the current mitigations offered are unrealistic for most businesses to implement. For instance, Gallagher mentioned limiting physical obtain to these equipment forgets that IoT equipment are typically deployed at significant-scale across substantial actual physical spots that are tough to make certain access has been limited. Likewise, disabling SMS messaging cripples just one of the cellular modem’s key capabilities. 

“These mitigations are a weak protection, and in the long run the units will have to be patched,” mentioned Gallagher.