Description
A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to disclose hidden virtual paths and file names on the targeted system.
Problem types
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Product status
* (custom) before 2.000 ARN 01.001.08
* (custom) before 4.013 ARN 01.000.06
* (custom) before 4.000
* (custom) before 4.013 ARN 01.000.06
* (custom) before 2.000
* (custom) before 2.000 ARN 00.000.20
* (custom) before 3.001 ARN 00.000.49
* (custom) before 4.013 ARN 01.000.06
* (custom) before 4.013 ARN 01.000.06
* (custom) before 3.011 ARN 00.000.60
* (custom) before 4.013 ARN 01.000.06
* (custom) before 1.000
* (custom) before 1.004 ARN 00.003.01
* (custom) before 1.005 ARN 00.005.01
* (custom) before 1.000
* (custom) before 1.000 ARN 00.030.01
* (custom) before 1.000 ARN 00.032.02
* (custom) before 2.000 ARN 01.000.03
* (custom) before 2.000 ARN 01.000.03
* (custom) before 1.000 ARN 00.026.01
* (custom) before 1.000 ARN 00.032.02
* (custom) before 1.01 ARN 00.028.01
* (custom) before 2.012 ARN 01.000.05
* (custom) before 4.000
* (custom) before 4.000 ARN 01.000.05
* (custom) before 5.001 ARN 01.000.04
* (custom) before 5.012
* (custom) before 5.012 ARN 01.000.05
* (custom) before 3.001
* (custom) before 3.001 ARN 00.000.32
* (custom) before 4.013 ARN 01.000.06
* (custom) before 2.01
* (custom) before 2.01 ARN 01.000.05
Timeline
| 2023-02-21: | Issue discovered by Kaspersky ICS CERT |
| 2023-04-27: | Confirmed by Telit Cinterion |
Credits
Alexander Kozlov from Kaspersky
Sergey Anufrienko from Kaspersky
References
ics-cert.kaspersky.com/...-unauthorized-actor-vulnerability/ (KLCERT-22-210: Telit Cinterion (Thales/Gemalto) modules. Exposure of Sensitive Information to an Unauthorized Actor vulnerability)
ics-cert.kaspersky.com/...-unauthorized-actor-vulnerability/ (KLCERT-22-210: Telit Cinterion (Thales/Gemalto) modules. Exposure of Sensitive Information to an Unauthorized Actor vulnerability)