CVE-2023-33374

Vulnerability

Connected IO versions 2.1.0 and prior include a command in their communication protocol that allows the management platform to specify arbitrary OS commands for devices to execute. This dangerous functionality is part of the protocol design, and no special configuration is required to reach the vulnerable code path. The affected versions are all releases up to and including v2.1.0 [1].

Exploitation

An attacker who can abuse the management platform's communication channel can issue arbitrary OS commands to all connected devices. The attacker does not need authentication if the protocol is exposed; they only need network access to the management interface or the ability to inject malicious commands into the protocol stream. The exact sequence involves crafting a command message that includes an OS command, which the device then executes without sanitization [1].

Impact

Successful exploitation results in arbitrary remote command execution on all devices managed by the platform. The attacker gains full control over the device's operating system, leading to complete compromise of confidentiality, integrity, and availability of the device and potentially the network it serves [1].

Mitigation

As of the publication date (2023-08-04), no official patch or fixed version has been announced in the available references. Users should monitor vendor advisories and consider isolating the management platform from untrusted networks. If a fix becomes available, upgrading to a patched version is recommended [1].