CVE-2023-33378 – Connected IO v2.1.0 and prior has an argument i... (How to Fix)

Q: What is the severity of CVE-2023-33378?

CVE-2023-33378 has a CVSS score of 9.8 (CRITICAL). Connected IO v2.1.0 and prior has an argument injection vulnerability in its AT command message handling, allowing attackers to execute arbitrary operating system commands on affected devices. This affects Connected IO routers and similar IoT devices running vulnerable firmware versions.

📋 TL;DR

Connected IO v2.1.0 and prior has an argument injection vulnerability in its AT command message handling, allowing attackers to execute arbitrary operating system commands on affected devices. This affects Connected IO routers and similar IoT devices running vulnerable firmware versions.

💻 Affected Systems

Products:

Connected IO routers and IoT devices

Versions: v2.1.0 and prior

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices using Connected IO's communication protocol with AT command processing are vulnerable.

📦 What is this software?

Connected Io by Connectedio

View all CVEs affecting Connected Io →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise leading to complete control over the device, data exfiltration, lateral movement within networks, and potential use as a botnet node.

🟠

Likely Case

Remote code execution allowing attackers to modify device configurations, intercept network traffic, or deploy malware.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and command filtering.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the communication protocol itself, making exploitation straightforward once the protocol is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.2.0 or later

Vendor Advisory: https://www.connectedio.com/products/routers

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download v2.2.0 or later from Connected IO support portal. 3. Upload firmware to device via admin interface. 4. Apply update and restart device.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Connected IO devices in separate VLANs with strict firewall rules limiting inbound/outbound traffic.

AT Command Filtering

all

Implement network-level filtering or proxy to sanitize AT commands before reaching devices.

🧯 If You Can't Patch

Segment devices on isolated networks with no internet access
Implement strict firewall rules to allow only necessary communication to/from devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device admin interface or via SSH if available. Versions v2.1.0 or earlier are vulnerable.

Check Version:

ssh admin@device_ip 'cat /etc/version' or check web admin interface

Verify Fix Applied:

Confirm firmware version is v2.2.0 or later in device admin interface.

📡 Detection & Monitoring

Log Indicators:

Unusual AT command patterns in device logs
Unexpected process executions
Configuration changes not initiated by administrators

Network Indicators:

Unusual network traffic from Connected IO devices
AT command messages with shell metacharacters or suspicious arguments

SIEM Query:

source="connected_io" AND (message="*AT*" OR message="*shell*" OR message="*exec*")

📊 Metadata

CVE ID: CVE-2023-33378

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-88

Published: August 4, 2023

Last Updated: November 21, 2024

🔗 References

https://claroty.com/team82/disclosure-dashboard/cve-2023-33378 Third Party Advisory
https://www.connectedio.com/products/routers Product
https://claroty.com/team82/disclosure-dashboard/cve-2023-33378 Third Party Advisory
https://www.connectedio.com/products/routers Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33378, you might also want to check these: