November 13, 2024 at 07:15AM
A security analysis of the OvrC cloud platform revealed ten vulnerabilities that could allow remote code execution on connected devices. These flaws impact OvrC Pro and Connect, with some allowing attackers to impersonate devices and access unauthorized controls. Fixes were issued in May 2023 and November 2024.
### Meeting Takeaways – November 13, 2024
1. **Vulnerability Identification**:
– A security analysis of the OvrC cloud platform has revealed **10 vulnerabilities** that may lead to remote code execution on connected IoT devices.
– The affected devices include smart electrical power supplies, cameras, routers, and home automation systems.
2. **Impact of Vulnerabilities**:
– Successful exploitation could enable attackers to access, control, and disrupt OvrC-supported devices.
– Kaspersky’s researcher, **Uri Katz**, highlighted that issues stem mainly from weak device-to-cloud interfaces, including poor identifiers and vulnerabilities like weak access controls.
3. **Details on Vulnerabilities**:
– **CISA Advisory**: The U.S. Cybersecurity and Infrastructure Security Agency warns that these vulnerabilities could allow attackers to impersonate devices, execute arbitrary code, and disclose sensitive information.
– **Released Fixes**: Snap One released patches for eight vulnerabilities in May 2023 and addressed the remaining two on November 12, 2024.
4. **Severe Vulnerabilities**:
– **CVE-2023-28649** (CVSS score: 9.2): Enables hub impersonation and device hijacking.
– **CVE-2023-31241** (CVSS score: 9.2): Allows attackers to claim unclaimed devices by bypassing serial number checks.
– **CVE-2023-28386** (CVSS score: 9.2): Permits uploading of arbitrary firmware updates, leading to code execution.
– **CVE-2024-50381** (CVSS score: 9.1): Facilitates hub impersonation and arbitrary device unclaiming.
5. **Broader Security Context**:
– The vulnerabilities arise at a time when connected devices are proliferating and cloud management is increasingly essential.
– Other vulnerabilities were also noted, including security flaws in EmbedThis GoAhead and Johnson Controls’ exacqVision Web Service.
6. **Expert Opinion**:
– Katz emphasized the critical need for manufacturers and cloud service providers to enhance the security of their devices and connections due to the increasing risks associated with more devices coming online.
**Next Steps**:
– Ensure all relevant teams are informed of the vulnerabilities and the importance of compliance with the released patches.
– Monitor ongoing updates from CISA and other cybersecurity authorities for further developments.