CVE-2023-47610 Overview
CVE-2023-47610 is a buffer overflow vulnerability (CWE-120: Buffer Copy without Checking Size of Input) affecting multiple Telit Cinterion cellular modem modules. This vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message to the vulnerable device.
The vulnerability is particularly concerning because it affects cellular modem firmware commonly deployed in IoT devices, industrial control systems, telematics units, and critical infrastructure. The attack vector via SMS means that any device with a mobile subscription can potentially be targeted without requiring direct network access to the device.
Critical Impact
Remote unauthenticated attackers can achieve arbitrary code execution on vulnerable Telit Cinterion cellular modems by sending malicious SMS messages, potentially compromising IoT devices and critical infrastructure systems.
Affected Products
- Telit BGS5 (Firmware)
- Telit EHS5 (Firmware)
- Telit EHS6 (Firmware)
- Telit EHS8 (Firmware)
- Telit PDS5 (Firmware)
- Telit PDS6 (Firmware)
- Telit PDS8 (Firmware)
- Telit ELS61 (Firmware)
- Telit ELS81 (Firmware)
- Telit PLS62 (Firmware)
Discovery Timeline
- November 9, 2023 - CVE-2023-47610 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-47610
Vulnerability Analysis
This buffer overflow vulnerability exists in the SMS message handling functionality of Telit Cinterion cellular modem firmware. The root cause is a classic buffer copy operation that fails to validate the size of incoming data before copying it into a fixed-size buffer. When processing SMS messages, the modem firmware does not properly verify that the message payload fits within the allocated buffer space, allowing attackers to overwrite adjacent memory regions.
The vulnerability is exploitable remotely over the cellular network without any authentication requirements. An attacker only needs to know the phone number (MSISDN) associated with the target device's SIM card to initiate an attack. This makes the vulnerability particularly dangerous for deployed IoT devices where phone numbers may be predictable or discoverable.
Successful exploitation grants the attacker code execution at the firmware level of the modem, which operates independently from any host operating system. This provides a highly privileged execution context that may persist across reboots and could be used to establish persistent backdoor access, intercept communications, or pivot to connected systems.
Root Cause
The vulnerability stems from insufficient input validation in the SMS message processing code within the Telit Cinterion modem firmware. Specifically, when the modem receives an SMS message via the cellular network, it copies the message content into a fixed-size memory buffer without first validating that the incoming data does not exceed the buffer's capacity. This classic CWE-120 (Buffer Copy without Checking Size of Input) flaw allows an attacker to craft an oversized SMS payload that overwrites memory beyond the intended buffer boundaries, potentially corrupting adjacent data structures or control flow information.
Attack Vector
The attack is conducted over the cellular network using SMS as the delivery mechanism. The attack flow involves:
Reconnaissance: Attacker identifies the target device's phone number (MSISDN), which may be obtained through OSINT, social engineering, or scanning predictable number ranges.
Payload Crafting: The attacker constructs a malicious SMS message containing an oversized payload designed to trigger the buffer overflow and achieve code execution.
Delivery: The malicious SMS is sent to the target device through standard cellular SMS infrastructure.
Exploitation: When the vulnerable modem firmware processes the incoming SMS, the buffer overflow occurs, allowing the attacker's payload to execute with modem firmware privileges.
The vulnerability requires no user interaction, authentication, or prior access to the target system. The network-based attack vector combined with the low attack complexity makes this vulnerability highly exploitable.
For detailed technical information, refer to the Kaspersky Security Advisory KLCert-23-018.
Detection Methods for CVE-2023-47610
Indicators of Compromise
- Unexpected modem reboots or firmware crashes that may indicate exploitation attempts
- Anomalous SMS traffic patterns or receipt of unusual/malformed SMS messages
- Unauthorized changes to modem configuration or AT command settings
- Unexpected network connections or data exfiltration from modem-connected devices
- Evidence of unauthorized firmware modifications or persistent implants
Detection Strategies
- Monitor cellular modem logs for SMS parsing errors, crashes, or unexpected restarts
- Implement network-level monitoring to detect anomalous SMS traffic directed at IoT device populations
- Deploy endpoint detection solutions capable of monitoring embedded device behavior for signs of compromise
- Establish baseline modem firmware hashes and periodically verify firmware integrity
Monitoring Recommendations
- Enable detailed logging on cellular modem management platforms
- Implement alerting for modem devices that become unresponsive or exhibit unusual behavior following SMS receipt
- Monitor for unauthorized AT command execution or configuration changes
- Track firmware version information across deployed modem fleet to identify vulnerable devices
How to Mitigate CVE-2023-47610
Immediate Actions Required
- Inventory all deployed Telit Cinterion modem modules to identify vulnerable devices
- Contact Telit or your device vendor to obtain patched firmware versions
- Implement network segmentation to limit the blast radius of potentially compromised modem devices
- Where possible, disable SMS functionality if not required for device operation
- Review and restrict physical and network access to modem management interfaces
Patch Information
Organizations should contact Telit directly or work with their device vendors to obtain updated firmware that addresses CVE-2023-47610. Given the embedded nature of these modems, firmware updates may need to be applied through device-specific update mechanisms or over-the-air (OTA) update processes. For detailed patch information, consult the Kaspersky Security Advisory KLCert-23-018.
Workarounds
- Disable SMS reception on modem modules where SMS functionality is not operationally required
- Implement carrier-level SMS filtering or restrictions if supported by your cellular provider
- Deploy modems behind cellular gateways that can inspect and filter malicious SMS traffic
- Consider using private APNs with restricted SMS capabilities for critical deployments
- Implement defense-in-depth by ensuring compromised modems cannot easily pivot to connected host systems
# Example: Disable SMS reception via AT commands (verify compatibility with your specific modem)
# Connect to modem via serial interface and execute:
AT+CNMI=0,0,0,0,0
# This command configures the modem to not route incoming SMS notifications
# Note: Consult your modem's AT command documentation for specific syntax
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
