Recent findings have unveiled multiple critical security vulnerabilities in ConnectedIO’s ER2000 edge routers and associated cloud management platform that can be exploited by cybercriminals to run malicious code and gain access to sensitive information. This revelation poses a serious risk to numerous organizations that rely on these technologies.
The vulnerabilities could allow attackers complete access to the cloud infrastructure, enabling them to remotely execute code and exfiltrate customer and device data, as highlighted by Claroty’s Noam Moshe in a recent analysis. Exploits targeting the 3G and 4G routers may expose extensive internal networks to significant threats, facilitating control over connected devices, traffic interception, and infiltration of Extended Internet of Things (XIoT) items.
Specifically, flaws affecting versions v2.1.0 and earlier of the ConnectedIO platform, especially the 4G ER2000 routers and cloud services, can be chained together, granting attackers the ability to execute arbitrary code on cloud-based devices without direct access. Notably, vulnerabilities in the communication protocol, including the widely-used MQTT protocol, involve hard-coded authentication credentials that could enable the registration of unauthorized devices, allowing access to MQTT messages containing critical information like device identifiers, Wi-Fi settings, and security passwords.
The exploitation of these vulnerabilities could empower threat actors not only to impersonate various connected devices using leaked IMEI numbers but also to issue arbitrary commands by leveraging malformed MQTT messages. Such capabilities stem from a specific bash command featuring the opcode “1116,” which executes commands without necessitating additional authentication, merely requiring the ability to write to the relevant topic. Moshe detailed that this lack of sender validation enables arbitrary command execution across all devices involved.
Identified vulnerabilities have been assigned various Common Vulnerabilities and Exposures (CVE) identifiers, each receiving a high CVSS score of 8.6, denoting a critical risk level. These include a stack-based buffer overflow in its communication protocol (CVE-2023-33375), as well as multiple argument injection vulnerabilities in commands integral to the communication protocol. These security gaps could facilitate the execution of arbitrary operating system commands on affected devices.
The implications of these vulnerabilities are severe; if exploited, they could disrupt business operations for thousands of companies globally, allowing attackers to manipulate internal networks, leading to business interruption and data breaches. Additionally, the disclosure coincides with the identification of vulnerabilities in network-attached storage (NAS) devices from Synology and Western Digital that could potentially be weaponized to take control of these systems, thereby compromising stored data and redirecting users to malicious-controlled devices.
This pattern of vulnerabilities is further exacerbated by the recent discovery of unpatched security flaws in Baker Hughes’ Bently Nevada 3500 rack model, which could allow attackers to bypass authentication protocols and gain complete access to the device. The risks may range from inaccurate monitoring of machinery to outright denial-of-service attacks, as noted by Nozomi Networks.
Given the sophistication of these vulnerabilities and the potential for exploitation, it is essential for organizations utilizing these technologies to understand the associated risks. Business owners must therefore implement robust security measures, monitoring protocols, and remediation strategies to safeguard against potential cyber threats originating from these vulnerabilities.
