CVE-2023-6248
Published: 21 November 2023
Summary
CVE-2023-6248 is a critical-severity Code Injection (CWE-94) vulnerability in Digitalcomtech Syrus 4G Iot Telematics Gateway Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 17.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58493
Vulnerability details
The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video…
more
and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations: * Get location data of the vehicle the device is connected to * Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 ) * Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization ) * Get live video through the connected video camera * Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts )
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Wireless link protection (encryption, directional transmission, etc.) directly prevents unauthorized actors from observing transmitted data.
Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.
Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Audit record review and analysis can detect unauthorized exposure or access to sensitive information.
Mandating documentation of security requirements for exchanges includes specifying and enforcing authentication mechanisms between systems.
Penetration testing probes authentication mechanisms for bypasses, allowing identification and fixing of improper authentication issues.
A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.