Full Report
A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists in Telit Cinterion EHS5/6/8 that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.
Analysis Summary
# Vulnerability: Remote Code Execution via SMS in Telit Cinterion Modules
## CVE Details
- **CVE ID:** CVE-2023-47610
- **CVSS Score:** 8.1 (High) - *Note: While the article text mentions 0.0, the provided vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H calculates to 8.1.*
- **CWE:** CWE-120 (Buffer Copy without Checking Size of Input)
## Affected Systems
- **Products:** Telit Cinterion (formerly Thales/Gemalto) cellular modules.
- **Versions:** All versions of EHS5, EHS6, and EHS8.
- **Configurations:** Devices capable of receiving SMS messages.
## Vulnerability Description
A classic buffer overflow vulnerability exists in the way the Telit Cinterion EHS5/6/8 firmware handles incoming SMS messages. The system fails to properly validate the size of the input data before copying it into a memory buffer. Because this flaw is located in the cellular interface handling components, an attacker can trigger the overflow by sending a specially crafted SMS message to the device's phone number.
## Exploitation
- **Status:** PoC availability and in-the-wild exploitation status not explicitly detailed in the source, but the vulnerability was reported by Kaspersky ICS CERT researchers.
- **Complexity:** High (Requires specific knowledge of the module's internal memory architecture to achieve arbitrary code execution).
- **Attack Vector:** Network (Remote exploitation via the cellular network/SMS protocol).
## Impact
- **Confidentiality:** High (Potential for unauthorized data access).
- **Integrity:** High (Potential for arbitrary code execution and system modification).
- **Availability:** High (Potential for device bricking or persistent denial of service).
## Remediation
### Patches
- The advisory indicates that users should contact the vendor (Telit/Cinterion) directly for firmware updates, as "All versions" of the listed modules were identified as vulnerable at the time of publication.
### Workarounds
- **Disable SMS:** Contact the mobile network operator (MNO) to disable the SMS reception capability for the SIM cards used in these devices.
- **Private APN:** Transition devices to a private Access Point Name (APN) with strict security filtering to reduce the exposure of the device to the public cellular network.
## Detection
- **Indicators of Compromise:** Unusual device reboots or communication failures after receiving malformed or unexpected SMS messages.
- **Detection methods and tools:** Monitoring cellular traffic for non-standard or malformed SMS Protocol Data Units (PDUs).
## References
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2023/11/08/klcert-23-018-telit-cinterion-thales-gemalto-modules-buffer-copy-without-checking-size-of-input-vulnerability/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2023-47610