Kaspersky researchers have identified multiple security vulnerabilities in Cinterion cellular modems, which could potentially be exploited by threat actors to access sensitive information and execute arbitrary code.
These vulnerabilities pose significant risks to critical communication networks and IoT devices across various sectors, including industrial, healthcare, automotive, financial, and telecommunications.
The most severe vulnerability, CVE-2023-47610 (CVSS score: 8.1), is a heap overflow flaw that allows remote attackers to execute arbitrary code by sending a specially crafted SMS message. This access could be further exploited to manipulate RAM and flash memory, granting attackers more control over the modem without requiring authentication or physical access.
Other vulnerabilities discovered by Kaspersky stem from security lapses in handling MIDlets, Java-based applications running within the modems. These flaws could be abused to bypass digital signature checks and allow unauthorized code execution with elevated privileges.
Cinterion modems, initially developed by Gemalto, became part of Telit after its acquisition from Thales in a deal announced in July 2022. These findings were unveiled during OffensiveCon in Berlin on May 11, 2024. The full list of vulnerabilities disclosed by Kaspersky includes:
- CVE-2023-47610 (CVSS score: 8.1)
- CVE-2023-47611 (CVSS score: 7.8)
- CVE-2023-47612 (CVSS score: 6.8)
- CVE-2023-47613 (CVSS score: 4.4)
- CVE-2023-47614 (CVSS score: 3.3)
- CVE-2023-47615 (CVSS score: 3.3)
- CVE-2023-47616 (CVSS score: 2.4)
Jason Soroko, Senior Vice President of Product at Sectigo, emphasized the importance of these findings, stating, “Cinterion integrated modems are used in the supply chain of many IoT devices to allow data access by cellular communication and the vulnerabilities that are being reported are mostly about flaws in memory management that could lead to unauthorized code execution, not just for attackers in the physical possession of the device.“
“There is also a remote attack potential via a carefully crafted SMS message. These are the highest priority vulnerabilities that organizations and security teams need to be aware of,“ he warned.
As Cinterion modems are widely used in IoT devices across various industries, organizations and security teams must be aware of these vulnerabilities and take necessary measures to mitigate the risks associated with them.
Kaspersky’s findings show the importance of robust security practices and regular vulnerability assessments in ensuring the safety and integrity of critical communication networks and IoT devices.