Headline
CVE-2023-47612: KLCERT-22-194: Telit Cinterion (Thales/Gemalto) modules. Files or Directories Accessible to External Parties vulnerability | Kaspersky ICS CERT
A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow an attacker with physical access to the target system to obtain a read/write access to any files and directories on the targeted system, including hidden files and directories.
CVE
2023-47612
KLCERT
KLCERT-22-194
Sergey Anufrienko, Vulnerability Research Group Manager, Kaspersky ICS CERT
Alexander Kozlov, Kaspersky
Timeline
Timeline
Kaspersky ICS CERT advisory published
08 November 2023
Vulnerability reported
February 2023
Description
A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow an attacker with physical access to the target system to obtain a read/write access to any files and directories on the targeted system, including hidden files and directories.
Exploitability
Physical access is required
Impact
Successful exploitation of this vulnerability could allow an attacker with physical access to the target system to obtain a read/write access to any files and directories on the targeted system, including hidden files and directories.
Affected products
The following Telit products:
- Telit Cinterion BGS5 (All versions)
- Telit Cinterion EHS5/6/8 (All versions)
- Telit Cinterion PDS5/6/8 (All versions)
- Telit Cinterion ELS61/81 (All versions)
- Telit Cinterion PLS62 (All versions).
Mitigation
Kaspersky ICS CERT mitigation
- Control physical access to the device at all stages of transportation to protect against the embedding of backdoors.
Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees with respect to information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
Back to top
Timeline
Kaspersky ICS CERT advisory published
08 November 2023
Vulnerability reported
February 2023
Back to top
Related news
By Waqas Millions of IoT and industrial devices at risk! Critical vulnerabilities in Cinterion cellular modems allow remote attackers to take control. This is a post from HackRead.com Read the original post: Cinterion Modem Vulnerabilities Leave IoT and Industrial Networks Exposed