Critical Vulnerabilities in Cinterion Modems Exposed

Critical vulnerabilities have been found within Cinterion cellular modems. Disclosed during a Kaspersky presentation at OffensiveCon in Berlin on May 11, these flaws could allow remote attackers to execute arbitrary code, posing a significant threat to the integrity of millions of industrial devices reliant on these modems.

The identified vulnerabilities, including CVE-2023-47610, highlight severe security weaknesses within the modem’s SUPL message handlers. Exploiting this flaw via SMS could grant attackers unauthorized access to the modem’s operating system, enabling them to manipulate RAM and flash memory without needing authentication or physical device access.

Moreover, investigations uncovered flaws in the handling of MIDlets, Java-based applications running on the modems. By bypassing digital signature checks, attackers could execute unauthorized code with elevated privileges, posing risks to data confidentiality and broader network security.

Evgeny Goncharov, head of Kaspersky ICS CERT, emphasized the potential for widespread disruption across various sectors due to the extensive deployment of these modems. 

“These disturbances range from economic and operational impacts to safety issues. Since the modems are typically integrated in a matryoshka-style within other solutions, with products from one vendor stacked atop those from another, compiling a list of affected end products is challenging,” he said.

“Affected vendors must undertake extensive efforts to manage risks, with mitigation often feasible only on the telecom operators’ side.”

Read more on router security: US Thwarts Volt Typhoon Cyber-Espionage Campaign Through Router Disruption

To defend against this threat, Kaspersky recommended disabling nonessential SMS messaging capabilities and enforcing rigorous digital signature verification for MIDlets. They also urged stakeholders to control physical access to devices and conduct regular security audits and updates.

The vulnerabilities have been shared with the manufacturer, but the intricate supply chain involving Gemalto (now under Thales), and subsequently Telit, complicates mitigation efforts.