Several serious vulnerabilities have been discovered in Telit Cinterion cellular M2M modems, including the possibility of remote arbitrary code execution (RCE) via SMS messages. These modems are used in millions of different devices and systems for both the consumer market segment (payment terminals, ATMs, cars) and various industries such as healthcare, financial, telecommunications, manufacturing and so on. We’ll tell you about the detected vulnerabilities and how you can protect yourself from them.
Critical vulnerabilities in Cinterion modems
In total, Kaspersky ICS-CERT experts discovered seven zero-day vulnerabilities in Telit Cinterion modems:
- CVE-2023-47610 / KLCERT-23-018: An attacker can achieve remote code execution (RCE) on the system by sending specially crafted SMS.
- CVE-2023-47611 / KLCERT-22-216: Allows an attacker with low privileges on the system to elevate them to “manufacturer” level.
- CVE-2023-47612 / KLCERT-22-194: An attacker with physical access to the device has the ability to read and write any files and directories on the system, including those that are hidden.
- CVE-2023-47613 / KLCERT-22-211: Allows an attacker with low privileges on the system to escape a virtual directory and gain read and write access to protected files.
- CVE-2023-47614 / KLCERT-22-210: Allows an attacker with low privileges on the system to disclose hidden virtual paths and filenames.
- CVE-2023-47615 / KLCERT-22-212: Allows an attacker with low privileges on the system to gain unauthorized access to sensitive data.
- CVE-2023-47616 / KLCERT-22-193: An attacker with physical access to the device has the ability to gain unauthorized access to sensitive data.
The most dangerous is the first vulnerability on this list (CVE-2023-47610). Among other things, it allows attackers to manipulate the modem’s memory and flash drive, ultimately giving them complete control over the system. Furthermore, this attack does not require physical access to the device or authentication.
Which devices have the described vulnerabilities?
All of the vulnerabilities mentioned above, from CVE-2023-47610 to CVE-2023-47616, affect the following list of cellular IoT modems:
- Cinterion BGS5
- Cinterion EHS5/6/8
- Cinterion PDS5/6/8
- Cinterion ELS61/81
- Cinterion PLS62
Information about the vulnerabilities in these products was communicated in advance to Cinterion, the manufacturer of the modems.
It should be noted that the Cinterion modem line has changed hands several times. Cinterion company was acquired by Gemalto in 2010. In 2019, Gemalto was absorbed by Thales. Finally, in 2023, Thales sold the Cinterion modem line to Telit, resulting in Telit Cinterion.
It’s extremely difficult at this stage to compile a complete list of end products affected by these vulnerabilities. Manufacturers rarely disclose the component base used in their products, and cellular modem chips are often not directly integrated into end devices, but are parts of other components. What you end up with is multistage nesting – one supplier uses another supplier’s solutions in their product, that supplier uses a third, and so on down the chain. As a result, it is not easy even for the manufacturer of the end device to determine which chip performs the modem functions.
In the near future, our experts plan to publish a detailed technical report on the security of Telit Cinterion modems on the Kaspersky ICS-CERT website.
We are now communicating with the manufacturers of those products known to use vulnerable modems.
If you are aware of such products, please notify us at mailto:ics-cert@kaspersky.com. We will try to contact the manufacturers and provide them with a modem vulnerability report so that they can assess the impact of the vulnerabilities on the security of their products and plan mitigation measures.
How to protect yourself from the described vulnerabilities
To protect against the most dangerous of the discovered vulnerabilities (CVE-2023-47610), Kaspersky ICS-CERT experts recommend the following measures:
- Disable SMS delivery to affected devices (this can be done by the telecom operator).
- Use a private access point name (APN) with strict security settings.
For the other vulnerabilities (from CVE-2023-47611 to CVE-2023-47616), Kaspersky ICS-CERT experts advise doing the following:
- Enforce application signature verification to prohibit installation of untrusted MIDlets on the device.
- Strictly control physical access to the vulnerable devices.
- Install updates and perform regular security audits.