Recent security audits of the OvrC cloud platform have revealed a series of vulnerabilities—specifically ten—that could enable attackers to execute code remotely on devices linked to this network. These vulnerabilities, if exploited, could allow unauthorized individuals to commandeer devices including smart power supplies, surveillance cameras, routers, and home automation systems.
Uri Katz, a researcher with Claroty, highlighted that successful exploitation could provide attackers with the capability to access, control, and disrupt a variety of devices supporting the OvrC ecosystem. The platform—known as OvrC and marketed as a “revolutionary support solution” by Snap One—facilitates remote configuration and troubleshooting of Internet of Things (IoT) devices scattered across more than 500,000 end-user locations, according to company claims.
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has issued a coordinated advisory, indicating that these vulnerabilities could allow attackers to impersonate devices, execute arbitrary code, and glean sensitive information from those devices. The issues are relevant for the OvrC Pro and OvrC Connect services, with patches for eight vulnerabilities released in May 2023 and two additional fixes expected by November 2024.
Katz indicated that many of the discovered vulnerabilities stem from overlooked security in the device-to-cloud interface. Weak identifiers and inadequate access controls have particularly facilitated opportunities for attackers to cross-claim devices. Issues include authentication bypasses and flaws in input validation, which collectively heighten the risk of remote code execution.
By exploiting these security gaps, an attacker could bypass cloud management interfaces and gain unauthorized entry, leading to further malicious activities such as profiling devices, escalating privileges, and running arbitrary code. Such breaches could also allow adversaries to manipulate power supplies and disrupt various business and home automation systems connected to the OvrC cloud.
Among the most critical vulnerabilities identified are CVE-2023-28649 and CVE-2023-31241, each scoring 9.2 on the CVSS v4 scale. These allow attackers to impersonate a device hub and claim unregistered devices, respectively. Additionally, CVE-2023-28386, which permits arbitrary firmware updates leading to code execution, poses a severe threat and has a similar CVSS score. There’s also CVE-2024-50381, which enables hub impersonation and arbitrary device unclaiming, further illustrating the level of risk.
Katz emphasized that the rise in connected devices, coupled with the increasing reliance on cloud management, underscores the urgency for manufacturers and service providers to secure their offerings against such threats. Unmitigated vulnerabilities can have disproportionate negative impacts on critical devices, including connected power supplies and networking infrastructure used in both private and corporate environments.
In a related note, Nozomi Networks has uncovered additional vulnerabilities within the GoAhead web server framework, which may pose risks to embedded and IoT devices under specific conditions. This follows reports of multiple security weaknesses identified in Johnson Controls’ exacqVision Web Service, which could be combined to take control over surveillance camera feeds.
As the cybersecurity landscape evolves, business owners are urged to remain vigilant and proactive in addressing such vulnerabilities, especially when relying on cloud-based services for critical operational infrastructure.
