OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution

Avatar
A security analysis of the OvrC cloud platform has uncovered 10 vulnerabilities that could be chained to allow potential attackers to execute code remotely on connected devices. “Attackers successfully exploiting these vulnerabilities can access, control, and disrupt devices supported by OvrC; some of those include smart electrical power supplies, cameras, routers, home automation systems, and
[[{“value”:”

A security analysis of the OvrC cloud platform has uncovered 10 vulnerabilities that could be chained to allow potential attackers to execute code remotely on connected devices.

“Attackers successfully exploiting these vulnerabilities can access, control, and disrupt devices supported by OvrC; some of those include smart electrical power supplies, cameras, routers, home automation systems, and more,” Claroty researcher Uri Katz said in a technical report.

Snap One’s OvrC, pronounced “oversee,” is advertised as a “revolutionary support platform” that enables homeowners and businesses to remotely manage, configure, and troubleshoot IoT devices on the network. According to its website, OvrC solutions are deployed at over 500,000 end-user locations.

According to a coordinated advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), successful exploitation of the identified vulnerabilities could allow an attacker to “impersonate and claim devices, execute arbitrary code, and disclose information about the affected device.”

The flaws have been found to impact OvrC Pro and OvrC Connect, with the company releasing fixes for eight of them in May 2023 and the remaining two on November 12, 2024.

“Many of these issues we found arise from neglecting the device-to-cloud interface,” Katz said. “In many of these cases, the core issue is the ability to cross-claim IoT devices because of weak identifiers or similar bugs. These issues range from weak access controls, authentication bypasses, failed input validation, hardcoded credentials, and remote code execution flaws.”

As a result, a remote attacker could abuse these vulnerabilities to bypass firewalls and gain unauthorized access to the cloud-based management interface. Even worse, the access could be subsequently weaponized to enumerate and profile devices, hijack devices, elevate privileges, and even run arbitrary code.

The most severe of the flaws are listed below –

CVE-2023-28649 (CVSS v4 score: 9.2), which allows an attacker to impersonate a hub and hijack a device
CVE-2023-31241 (CVSS v4 score: 9.2), which allows an attacker to claim arbitrary unclaimed devices by bypassing the requirement for a serial number
CVE-2023-28386 (CVSS v4 score: 9.2), which allows an attacker to upload arbitrary firmware updates resulting in code execution
CVE-2024-50381 (CVSS v4 score: 9.1), which allows an attacker to impersonate a hub and unclaim devices arbitrarily and subsequently exploit other flaws to claim it

“With more devices coming online every day and cloud management becoming the dominant means of configuring and accessing services, more than ever, the impetus is on manufacturers and cloud service providers to secure these devices and connections,” Katz said. “The negative outcomes can impact connected power supplies, business routers, home automation systems and more connected to the OvrC cloud.”

The disclosure comes as Nozomi Networks detailed three security flaws impacting EmbedThis GoAhead, a compact web server used in embedded and IoT devices, that could lead to a denial-of-service (DoS) under specific conditions. The vulnerabilities (CVE-2024-3184, CVE-2024-3186, and CVE-2024-3187) have been patched in GoAhead version 6.0.1.

In recent months, multiple security shortcomings have also been uncovered in Johnson Controls’ exacqVision Web Service that could be combined to take control of video streams from surveillance cameras connected to the application and steal credentials.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

How Italy became an unexpected spyware hub

Next Post

Comprehensive Guide to Building a Strong Browser Security Program

Related Posts

Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

Details have emerged about a now-patched security flaw impacting Apple's Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device's virtual keyboard. The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865. "A novel attack that can infer eye-related biometrics from the avatar image to
Avatar
Read More

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. "Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to
Avatar
Read More