Full Report
A CWE-269: Improper Privilege Management vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to elevate privileges to “manufacturer” level on the targeted system.
Analysis Summary
# Vulnerability: Privilege Escalation in Telit Cinterion Modules
## CVE Details
- **CVE ID:** CVE-2023-47611
- **CVSS Score:** 7.8 (High) - *Note: Based on Vector String CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H*
- **CWE:** CWE-269: Improper Privilege Management
## Affected Systems
- **Products:** Telit Cinterion (formerly Thales/Gemalto) IoT Modules
- **Versions:**
- **BGS5:** Before RN 2.000 (ARN 01.001.08)
- **EHS5:** Before RN 4.013 (ARN 01.000.06)
- **EHS6:** Rel.2 (Before RN 2.000); Rel.3 (Before RN 3.001); Rel.4 (Before RN 4.013)
- **EHS8:** (Before RN 3.011); Rel.4 (Before RN 4.013)
- **ELS61 (Various regions/releases):** Before versions including RN 1.004, RN 1.005, RN 1.000, RN 2.000, RN 2.012
- **ELS81 (Various releases):** Before RN 4.000, RN 5.001, RN 5.012
- **PDS5:** Rel.1 (Before RN 3.001); Rel.4 (Before RN 4.013)
- **PDS6 / PDS8:** All versions
- **PLS62-W:** All versions; Rel.1 (Before RN 4.013)
- **Configurations:** Systems allowing the execution of local code or installation of Java MIDlets.
## Vulnerability Description
An improper privilege management flaw exists in the firmware of several Telit Cinterion cellular modules. The vulnerability allows a local, low-privileged attacker to exploit flaws in how the system manages permissions, enabling them to elevate their access level to "manufacturer" level. This high-level access typically grants full control over the module's filesystem, configuration, and sensitive functions.
## Exploitation
- **Status:** PoC availability not explicitly confirmed in article; no reported active exploitation in the wild at time of publication.
- **Complexity:** Low
- **Attack Vector:** Local (Requires initial access to the system to execute commands)
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system firmware or configuration)
- **Availability:** High (Ability to disable the module)
## Remediation
### Patches
Users should update to the following Release Notes (RN) / Application Release Notes (ARN) versions or newer:
- **BGS5:** RN 2.000 / ARN 01.001.08
- **EHS5/EHS6-Rel4/EHS8-Rel4/PDS5-Rel4:** RN 4.013 / ARN 01.000.06
- **EHS6 Rel 2/3:** RN 2.000/3.001
- **ELS61/ELS81:** Refer to specific regional ARN/RN updates (e.g., ARN 01.000.03+)
### Workarounds
- **Signature Verification:** Enforce strict application signature verification to prevent the installation and execution of untrusted or unsigned MIDlets.
- **Physical Security:** Maintain strict control over physical access to the device during transportation and deployment to prevent the insertion of malicious local code or hardware backdoors.
## Detection
- **Indicators of Compromise:** Presence of unauthorized or unsigned Java MIDlets on the module.
- **Detection Methods:** Audit system privilege levels and monitor for unauthorized "manufacturer" level commands or filesystem changes.
## References
- **Kaspersky Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2023/11/08/klcert-22-216-telit-cinterion-thales-gemalto-modules-improper-privilege-management-vulnerability/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2023-47611