CVE-2023-33378

Vulnerability

Connected IO v2.1.0 and prior suffers from an argument injection vulnerability in the AT command message handling of its communication protocol [1]. This allows an attacker to inject arbitrary arguments into the command parsing logic, leading to execution of unintended OS-level commands [1]. The vulnerability exists within the device's firmware and does not require any special configuration beyond default settings [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted AT command message to the targeted device over the network [1]. No authentication is required, and the attacker does not need prior access to the device [1]. The injection occurs during the parsing of the message, where improper validation allows the attacker to insert OS command separators and arguments [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with the privileges of the communication service, which typically runs as root or a high-integrity user [1]. This results in full compromise of the device's confidentiality, integrity, and availability, enabling actions such as data exfiltration, firmware modification, or complete device takeover [1].

Mitigation

Connected IO has not released a fixed version as of the publication date [1]. Users should monitor vendor advisories and apply patches when available [1]. As a workaround, restrict network access to the affected devices and monitor for anomalous AT command traffic [1]. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].