What are the vulnerabilities in Telit Cinterion cellular modems?

Telit Cinterion cellular modems have eight distinct vulnerabilities, with seven assigned CVE identifiers from CVE-2023-47610 to CVE-2023-47616. The most severe, CVE-2023-47610 (CVSS score 9.8), is a heap overflow in the modem’s User Plane Location (SUPL) message handlers, allowing remote code execution via crafted SMS messages without authentication.

What is the impact of CVE-2023-47610 on Telit Cinterion modems?

CVE-2023-47610 allows attackers to execute remote code on the modem by sending crafted SMS messages, potentially granting deep-level access to the modem's operating system, allowing manipulation of RAM and flash memory, and seizing full control over modem functionalities without physical access.

Which Telit Cinterion modem platforms are affected?

The vulnerable platforms include Cinterion EHS5-E series modem, Cinterion BGS5, Cinterion EHS5/6/7, Cinterion PDS5/6/8, Cinterion ELS61/81, and Cinterion PLS62.

What mitigation strategies are recommended for these vulnerabilities?

Kaspersky recommends several mitigation strategies: disabling SMS sending, enforcing application signature verification to block untrusted MIDlets, and implementing physical security measures to prevent unauthorized physical access to the devices.

Advisory

Telit Cinterion modems vulnerable to Remote Code Execution through SMS

published: May 13, 2024

Take action: If you are using Telit Cinterion modems, make sure you update them, and if not possible disable SMS message interface and isolate them in a private APN.

Learn More

Telit Cinterion cellular modems, extensively used in industrial, healthcare, and telecommunications sectors, have a critical security vulnerabilities that could allow remote attackers to execute arbitrary code through SMS messages.

Eight distinct vulnerabilities were uncovered, with seven assigned CVE identifiers from CVE-2023-47610 to CVE-2023-47616. The vulnerabilities were reported by Kaspersky's ICS CERT division in November 2023, following initial reports to the vendor in February 2023.

CVE-2023-47610 (CVSS score 9.8) - the most severe vulnerability, characterized by a heap overflow in the modem’s User Plane Location (SUPL) message handlers. Exploitation through crafted SMS messages enables remote code execution on the modem without needing authentication. The SMS messaging interface is universally present on all modems, and if the subscriber number of the target modem within a cellular network is known, access can be achieved. Although some operator restrictions might prevent sending binary SMS, utilizing a fake base station can bypass this restriction. Successful exploitation of CVE-2023-47610 permits attackers deep-level access to the modem's operating system, allowing manipulation of RAM and flash memory, and thereby potentially seizing full control over modem functionalities without needing physical device access.

The other vulnerabilities discovered by Kaspersky have lower severity scores, up to CVSS 7.8.

Vulnerable platforms are:

Cinterion EHS5-E series modem
Cinterion BGS5
Cinterion EHS5/6/7
Cinterion PDS5/6/8
Cinterion ELS61/81
Cinterion PLS62

Telit has addressed some, but not all, of the disclosed vulnerabilities. Kaspersky recommends several mitigation strategies:

Disable SMS Sending: Prevent sending SMS to affected devices and use a securely configured private APN.
Application Signature Verification: Enforce verification to block untrusted MIDlets.
Physical Security Measures: Prevent unauthorized physical access to the devices.

Telit Cinterion modems vulnerable to Remote Code Execution through SMS

Read More
Critical authentication bypass flaw reported in Amp'ed RF …
Rockwell Automation fixes critical flaw in Verve Asset …
Socomec Modulys GP UPS MOD3GP-SY-120K has critical vulnerabilites, …
CISA reports critical security flaws in SystemK's NVR …
Hackers attempt to exploit zero-day flaws in PTZOptics …