08 ноября 2023
KLCERT-23-018: Telit Cinterion (Thales/Gemalto) modules. Buffer Copy without Checking Size of Input vulnerability
Vendor
Telit Cinterion
-
CVE
-
KLCERT
KLCERT-23-018
Timeline
Timeline
-
Kaspersky ICS CERT advisory published
08 ноября 2023
-
Vulnerability reported
Февраль 2023
Description
A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.
CVSS v3
Exploitability
Remotely
Attack complexity
User interaction
Confidentiality
Integrity
High
Availability
High
Impact
Affected products
The following Telit products:
- Telit Cinterion BGS5 (All versions)
- Telit Cinterion EHS5/6/8 (All versions)
- Telit Cinterion PDS5/6/8 (All versions)
- Telit Cinterion ELS61/81 (All versions)
- Telit Cinterion PLS62 (All versions).
Mitigation
Kaspersky ICS CERT mitigation
- Contact the mobile operator to disable the sending of SMS messages to the device.
- Use private APN with carefully configured security settings to limit impact of any potential exploit. Review the current security configuration in setups that already use private APN.
Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees with respect to information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
