Kaspersky ICS CERT researchers have detected critical vulnerabilities in Cinterion cellular modems, widely deployed in millions of devices and vital to global connectivity infrastructure.
The discovery showcases flaws that allow a remote unauthorised attacker to execute arbitrary code, constituting a major threat to millions of industrial devices.
These vulnerabilities include critical flaws that permit remote code execution and unauthorised privilege escalation, posing substantial risks to integral communication networks and IoT devices foundational to industrial, healthcare, automotive, financial and telecommunications sectors.
Among the vulnerabilities detected, the most alarming is CVE-2023-47610, a heap overflow vulnerability within the modem’s SUPL message handlers.
The flaw enables remote attackers to execute arbitrary code via SMS, granting them unprecedented access to the modem’s operating system. This access also facilitates the manipulation of RAM and flash memory, increasing the potential to seize complete control over the modem’s functionalities – all without authentication or requiring physical access to the device.
Further investigations exposed significant security lapses in the handling of MIDlets, Java-based applications running on the modems. Attackers could compromise the integrity of these applications by circumventing digital signature checks, enabling unauthorised code execution with elevated privileges.
This flaw poses significant risks not only to data confidentiality and integrity, but it also escalates the threat to broader network security and device integrity.
“The vulnerabilities we found, coupled with the widespread deployment of these devices in various sectors, highlight the potential for extensive global disruption,” says Evgeny Goncharov, head of Kaspersky ICS CERT. “These disturbances range from economic and operational impacts to safety issues.
“Since the modems are typically integrated in a matryoshka-style within other solutions, with products from one vendor stacked atop those from another, compiling a list of affected end products is challenging. Affected vendors must undertake extensive efforts to manage risks, with mitigation often feasible only on the telecom operators’ side.”
To counter the threat posed by the CVE-2023-47610 vulnerability, Kaspersky recommends the only reliable solution: disabling nonessential SMS messaging capabilities and employing private APNs with strict security settings.
Regarding the other zero-day vulnerabilities registered under CVE-2023-47611 through CVE-2023-47616, Kaspersky advises enforcing rigorous digital signature verification for MIDlets, controlling physical access to devices, and conducting regular security audits and updates.
In response to these discoveries, all findings were proactively shared with the manufacturer prior to public disclosure.