A security analysis of the OvrC cloud platform has uncovered 10 vulnerabilities that could be chained to allow potential attackers to execute code remotely on connected devices.
“Attackers successfully exploiting these vulnerabilities can access, control, and disrupt devices supported by OvrC; some of those include smart electrical power supplies, cameras, routers, home automation systems, and more,” Claroty researcher Uri Katz said in a technical report.
Snap One’s OvrC, pronounced “oversee,” is advertised as a “revolutionary support platform” that enables homeowners and businesses to remotely manage, configure, and troubleshoot IoT devices on the network. According to its website, OvrC solutions are deployed at over 500,000 end-user locations.
According to a coordinated advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), successful exploitation of the identified vulnerabilities could allow an attacker to “impersonate and claim devices, execute arbitrary code, and disclose information about the affected device.”
The flaws have been found to impact OvrC Pro and OvrC Connect, with the company releasing fixes for eight of them in May 2023 and the remaining two on November 12, 2024.
“Many of these issues we found arise from neglecting the device-to-cloud interface,” Katz said. “In many of these cases, the core issue is the ability to cross-claim IoT devices because of weak identifiers or similar bugs. These issues range from weak access controls, authentication bypasses, failed input validation, hardcoded credentials, and remote code execution flaws.”
As a result, a remote attacker could abuse these vulnerabilities to bypass firewalls and gain unauthorized access to the cloud-based management interface. Even worse, the access could be subsequently weaponized to enumerate and profile devices, hijack devices, elevate privileges, and even run arbitrary code.
The most severe of the flaws are listed below –
- CVE-2023-28649 (CVSS v4 score: 9.2), which allows an attacker to impersonate a hub and hijack a device
- CVE-2023-31241 (CVSS v4 score: 9.2), which allows an attacker to claim arbitrary unclaimed devices by bypassing the requirement for a serial number
- CVE-2023-28386 (CVSS v4 score: 9.2), which allows an attacker to upload arbitrary firmware updates resulting in code execution
- CVE-2024-50381 (CVSS v4 score: 9.1), which allows an attacker to impersonate a hub and unclaim devices arbitrarily and subsequently exploit other flaws to claim it
“With more devices coming online every day and cloud management becoming the dominant means of configuring and accessing services, more than ever, the impetus is on manufacturers and cloud service providers to secure these devices and connections,” Katz said. “The negative outcomes can impact connected power supplies, business routers, home automation systems and more connected to the OvrC cloud.”
The disclosure comes as Nozomi Networks detailed three security flaws impacting EmbedThis GoAhead, a compact web server used in embedded and IoT devices, that could lead to a denial-of-service (DoS) under specific conditions. The vulnerabilities (CVE-2024-3184, CVE-2024-3186, and CVE-2024-3187) have been patched in GoAhead version 6.0.1.
In recent months, multiple security shortcomings have also been uncovered in Johnson Controls’ exacqVision Web Service that could be combined to take control of video streams from surveillance cameras connected to the application and steal credentials.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.