Full Report
A CWE-23: Relative Path Traversal vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to escape from virtual directories and get read/write access to protected files on the targeted system.
Analysis Summary
# Vulnerability: Path Traversal in Telit Cinterion Modules
## CVE Details
- **CVE ID:** CVE-2023-47613
- **CVSS Score:** 4.4 (Medium) — *Note: While the source text lists a calculation resulting in a low score, the standard CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N typically evaluates to 4.4.*
- **CWE:** CWE-23 (Relative Path Traversal)
## Affected Systems
- **Products:**
- Telit Cinterion BGS5
- Telit Cinterion EHS5/6/8
- Telit Cinterion PDS5/6/8
- Telit Cinterion ELS61/81
- Telit Cinterion PLS62
- **Versions:** All versions currently listed as affected.
- **Configurations:** Systems running Java MIDlets or allowing local access to file directories.
## Vulnerability Description
A relative path traversal flaw exists within the handling of file paths in several Telit Cinterion cellular modules. The vulnerability allows an attacker to use special characters (such as `../`) to bypass security restrictions imposed by virtual directories. By "escaping" these restricted environments, an attacker can gain unauthorized read and write access to protected files on the underlying system that should otherwise be inaccessible to their privilege level.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; PoC status details are not publicly specified in the internal report, though the mechanism is well-understood.
- **Complexity:** Low
- **Attack Vector:** Local (Requires the ability to execute code or commands on the device, such as through a malicious MIDlet).
## Impact
- **Confidentiality:** Low (Unauthorized reading of protected files)
- **Integrity:** Low (Unauthorized modification of protected files)
- **Availability:** None
## Remediation
### Patches
- As of the advisory date, no specific firmware patch versions were listed. Users are advised to contact the vendor (Telit/Thales) for the latest security updates regarding these modules.
### Workarounds
- **Application Signing:** Enforce strict application signature verification. This ensures that only trusted, verified MIDlets can be installed and executed on the device, preventing the deployment of malicious code designed to exploit the traversal flaw.
- **Physical Security:** Maintain strict control over physical access to the modules during transportation and deployment to prevent the manual injection of backdoors or unauthorized files.
## Detection
- **Indicators of Compromise:** Unusual file system activity, specifically the presence of MIDlets from unknown sources or logs showing access attempts to directories outside of the standard application sandbox.
- **Detection Methods:** Audit installed MIDlets on the module and review file system permissions to ensure virtual directory restrictions are being respected.
## References
- **Vendor Advisory:** KLCERT-22-211
- **Relevant Links:**
- hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2023/11/08/klcert-22-211-telit-cinterion-thales-gemalto-modules-relative-path-traversal/
- hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2023-47613
- hxxps[://]cwe[.]mitre[.]org/data/definitions/23[.]html