CVE-2023-0011

Published: Dec 20, 2023Modified: Nov 21, 2024

6.8

Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.9 / Impact: 5.9

Source: NVD

Description

A flaw in the input validation in TOBY-L2 allows a user to execute arbitrary operating system commands using specifically crafted AT commands. This vulnerability requires physical access to the serial interface of the module or the ability to modify the system or software which uses its serial interface to send malicious AT commands. Exploitation of the vulnerability gives full administrative (root) privileges to the attacker to execute any operating system command on TOBY-L2 which can lead to modification of the behavior of the module itself as well as the components connected with it (depending on its rights on other connected systems). It can further provide the ability to read system level files and hamper the availability of the module as well.. This issue affects TOBY-L2 series: TOBY-L200, TOBY-L201, TOBY-L210, TOBY-L220, TOBY-L280.

Affected (5)

Products: U Blox: Toby L200 Firmware, Toby L201 Firmware, Toby L210 Firmware, Toby L220 Firmware, Toby L280 Firmware

5 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
U Blox Toby L200 Firmware	All versions

Running on/with	Platform Versions
U Blox Toby L200	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
U Blox Toby L201 Firmware	All versions

Running on/with	Platform Versions
U Blox Toby L201	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
U Blox Toby L210 Firmware	All versions

Running on/with	Platform Versions
U Blox Toby L210	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
U Blox Toby L220 Firmware	All versions

Running on/with	Platform Versions
U Blox Toby L220	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
U Blox Toby L280 Firmware	All versions

Running on/with	Platform Versions
U Blox Toby L280	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://www.u-blox.com/en/report-security-issues

Source: vulnerability@ncsc.ch

Vendor Advisory

https://www.u-blox.com/en/report-security-issues

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.