Think & Built Bigger Faster Better

The cloud-based management platform and several high-severity security flaws in ConnectedIO’s ER2000 edge routers could be used by hackers to access sensitive information and run malicious malware.

In an analysis released last week, Claroty’s Noam Moshe stated that an attacker “could have leveraged these flaws to fully compromise the cloud infrastructure, remotely execute code, and leak all customer and device information.”

A large number of internal networks could be severely threatened by flaws in 3G/4G routers, making it possible for malicious parties to grab power, intercept communications, and even hack Extended Internet of Things (XIoT) devices.

The 4G ER2000 edge router and cloud services are the main issues affecting ConnectedIO platform versions v2.1.0 and earlier. These issues might be chained, allowing attackers to run arbitrary code on cloud-based devices without needing to have direct access to them.

Additionally, flaws have been found in the MQTT communication protocol, which is used to connect devices to the cloud. These flaws include the use of hard-coded authentication credentials, which could be exploited to register a malicious device and gain access to MQTT messages that contain router passwords, SSIDs, and device identifiers.

Due to the flaws, a threat actor could not only use the exposed IMEI numbers to mimic any device of their choosing but also compel the device to carry out arbitrary commands sent via specially constructed MQTT messages.

This is accomplished by using the bash command with the opcode “1116,” which runs a remote command “as-is.”

“This command, which does not require any other form of authentication other than being able to write it to the correct topic, allows us to execute arbitrary commands on all devices,” Moshe said.

“It is not verified that the person sending commands is in fact an authorized issuer. We were able to create a payload that, when given to a device, will trigger code execution using this command opcode.

The issues have been assigned the following CVE identifiers –

  • CVE-2023-33375 (CVSS score: 8.6) – A stack-based buffer overflow vulnerability in its communication protocol, enabling attackers to take control over devices.
  • CVE-2023-33376 (CVSS score: 8.6) – An argument injection vulnerability in its ip tables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
  • CVE-2023-33377 (CVSS score: 8.6) – An operating system command injection vulnerability in the set firewall command in part of its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
  • CVE-2023-33378 (CVSS score: 8.6) – An argument injection vulnerability in its AT command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.

“These vulnerabilities, if exploited, could pose serious risk for thousands of companies around the world, allowing attackers to disrupt the companies’ business and production, along with giving them access to the companies’ internal networks,” Moshe stated.

“In the most severe scenario, these flaws could allow an attacker to fully compromise the device and alter its internal configuration, potentially leading to either incorrect measurements from monitored machines, or denial-of-service attacks,” Nozomi Networks stated.