CVE-2023-33376

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

Published: Aug 4, 2023 / Updated: 15mo ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Connected IO v2.1.0 and prior has an argument injection vulnerability in its iptables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-33376. See article

Jun 8, 2023 at 5:42 PM / claroty.com
Static CVE Timeline Graph

Affected Systems

Connectedio/connected_io
+null more

Attack Patterns

CAPEC-137: Parameter Injection
+null more

References

US-CERT Vulnerability Summary for the Week of July 31, 2023
MISC cisco — cisco_sd-wan_vmanage A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
US-CERT Vulnerability Summary for the Week of July 31, 2023
MISC cisco — cisco_sd-wan_vmanage A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
US-CERT Vulnerability Summary for the Week of July 31, 2023
MISC cisco — cisco_sd-wan_vmanage A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
See 2 more references

News

High-Severity Flaws in ConnectedIO’s 3G/4G Routers Raise Concerns for IoT Security
CVE-2023-33376 (CVSS score: 8.6) – An argument injection vulnerability in its ip tables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices. CVE-2023-33378 (CVSS score: 8.6) – An argument injection vulnerability in its AT command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
ConnectedIO's 3G/4G Routers vulnerable to remote code execution
If exploited, an attacker could gain complete control over the cloud infrastructure, remotely execute malicious code, and expose sensitive user and device data. A series of critical vulnerabilities has been uncovered in ConnectedIO's ER2000 edge routers, which pose significant threats to cloud infrastructure security.
Unveiling the Invisible: Navigating Through the Silent Threats in ConnectedIO’s 3G/4G Routers
This meticulous scrutiny of ConnectedIO’s hardware revealed that these vulnerabilities could be potentially exploited by adversaries to gain unauthorized access and exert control over the networks and devices tethered to these routers. Description: This security flaw allows attackers to execute arbitrary commands on all devices connected to the vulnerable router without necessitating additional authentication protocols, thereby jeopardizing the security integrity of devices and data alike.
Critical Flaws Found in ConnectedIO 3G/4G Routers, Posing Serious IoT Security Risks
· CVE-2023-33376 (CVSS score: 8.6) – An argument injection vulnerability in the ip tables command message in the communication protocol, enabling attackers to execute arbitrary OS commands on devices. · CVE-2023-33378 (CVSS score: 8.6) – An argument injection vulnerability in the AT command message in the communication protocol, enabling attackers to execute arbitrary OS commands on devices.
ConnectedIO’s 3G/4G Routers Vulnerability Let Hackers Execute Malicious Code
Critical issues in ConnectedIO’s ER2000 edge routers have been discovered, and an attacker can leverage them to compromise the cloud infrastructure completely, remotely execute malicious code, and expose all user and device data. Researchers have discovered four new vulnerabilities that allow attackers to execute remote code on all connected devices.
See 28 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI