Serious security flaws were discovered in Cinterion cellular modems, including critical flaws that permit remote code execution and unauthorized privilege escalation, posing great risks to Internet of Things (IoT) devices widely found in the industrial, healthcare, automotive, financial and telecom sectors.
In a May 10 blog post, Kaspersky ICS CERT said CVE-2023-47610, a heap overflow vulnerability within the modem’s SUPL message handles, was the most alarming bug.
The researchers said the flaw lets remote attackers execute arbitrary code via SMS, granting them unprecedented access to the modem’s operating system. Such access also lets attackers manipulate RAM and flash memory, increasing the potential to seize complete control over the modem without authentication.
"The vulnerabilities we found, coupled with the widespread deployment of these devices in various sectors, highlight the potential for extensive global disruption,” said Evgeny Goncharov, head of Kaspersky ICS CERT. “These disturbances range from economic and operational impacts to safety issues."
Cinterion modems are used in the supply chain of many IoT devices to allow data access by cellular communication, explained Jason Soroko, senior vice president of product at Sectigo. Soroko said the vulnerabilities that are being reported are mostly about flaws in memory management that could lead to unauthorized code execution, but not just for attackers in physical possession of the device.
“There’s also a remote attack potential via a carefully crafted SMS message,” said Soroko. “These are the highest priority vulnerabilities that organizations and security teams need to be aware of."
John Gallagher, vice president of Viakoo Labs, said that Cinterion cellular modems connect everything from municipal recycling cans to water control systems to healthcare to private LTE/5G networks within enterprises.
“These vulnerabilities have the potential to disable or disrupt the operations of IoT/OT systems and give threat actors access to data present in the system,” said Gallagher. “Threat actors clearly can use modem access to also monitor traffic and observe operational patterns.
Gallagher added that the current mitigations offered are unrealistic for most organizations to implement. For example, Gallagher said restricting physical access to these devices forgets that IoT devices are often deployed at large-scale across large physical areas that are hard to ensure access has been restricted. Likewise, disabling SMS messaging cripples one of the cellular modem's key functions.
“These mitigations are a weak defense, and ultimately the devices will have to be patched,” said Gallagher.
