Vulnerabilities allow attackers to remotely execute arbitrary code without authorization
Kaspersky ICS CERT researchers have discovered critical vulnerabilities in Cinterion cellular modems, which are often used as part of various IoT and network-connected solutions. «Kaspersky Lab» reported details of the vulnerabilities found at the OffensiveCon conference in Berlin in May 2024.
As experts note, the vulnerabilities allow attackers to remotely execute arbitrary code without authorization, which poses a threat to millions of different devices – from ATMs and payment terminals to cars and medical equipment.
The most concerning vulnerability is CVE-2023-47610, which is associated with a heap buffer overflow in modem SUPL message handlers. This allows attackers to remotely, by sending SMS messages, execute arbitrary code that has unlimited access to the resources of the device and operating system — without authentication or the need to gain physical access to the modem.
The study also revealed serious problems with the security of midlets — Java applications running on modems. Attackers can compromise the integrity of these applications or install their own.
To protect against the risks associated with the CVE-2023-47610 vulnerability, «Kaspersky Lab» recommends disabling SMS capabilities on the carrier side and using private APNs with strict security settings. Regarding other zero-day vulnerabilities, including CVE-2023-47611 and CVE-2023-47616, «Kaspersky Lab» advises manufacturers of devices that include vulnerable modems to set up strict verification of digital signatures for MIDlets, and users — control physical access to devices.