CVE-2023-33377

Vulnerability

The Connected IO device firmware v2.1.0 and prior contains an OS command injection vulnerability in the set firewall command within its communication protocol [1]. An attacker can inject arbitrary OS commands through specially crafted requests, as the input is not properly sanitized before being passed to a system shell.

Exploitation

An attacker with network access to the device can send a malicious command injection payload as part of the set firewall command. No authentication is required, as the command is processed before any access control checks. The attack requires only the ability to send packets to the device's management interface.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges, leading to full compromise of the device. This can result in data exfiltration, denial of service, or use of the device as a pivot point for further network attacks.

Mitigation

As of the publication date (2023-08-04), no patch has been released by Connected IO [1]. Users are advised to restrict network access to the device to trusted hosts only, monitor for suspicious activity, and contact the vendor for updates. If the device is no longer supported, consider replacing it with a patched alternative.