High-Severity Flaws in ConnectedIO’s 3G/4G Routers Raise Concerns for IoT Security

CVE ID

• CVE-2023-33375 (CVSS score: 8.6) – A stack-based buffer overflow vulnerability in its communication protocol, enabling attackers to take control over devices.
• CVE-2023-33376 (CVSS score: 8.6) – An argument injection vulnerability in its ip tables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
• CVE-2023-33377 (CVSS score: 8.6) – An operating system command injection vulnerability in the set firewall command in part of its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
• CVE-2023-33378 (CVSS score: 8.6) – An argument injection vulnerability in its AT command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.

Exploited in the wide 

Yes

Associated Threat actor \Malware/campaign

Malicious Actor

User Interaction

None

Affected Products

 Vulnerabilities in 3G/4G routers could expose thousands of internal networks to severe threats, enabling bad actors to seize control, intercept traffic, and even infiltrate Extended Internet of Things (XIoT) things.

Summary

vulnerabilities have been disclosed in ConnectedIO’s ER2000 edge routers and the cloud-based management platform that could be exploited by malicious actors to execute malicious code and access sensitive data

Analysis

The shortcomings impacting the ConnectedIO platform versions v2.1.0 and prior, primarily the 4G ER2000 edge router and cloud services, could be chained, permitting attackers to execute arbitrary code on the cloud-based devices without requiring direct access to them

An attacker could have leveraged these flaws to fully compromise the cloud infrastructure, remotely execute code, and leak all customer and device information

Patch/Mitigation 

 Update ConnectedIO v2.1.0 to the latest version.