If a modem receives a malicious message, it can crash with a segmentation fault. This is a crash with the same code as a false positive in a cryptographically signed software update, which makes it look like a real Windows update. The attacker can then send another malicious message that causes the modem to crash again and again. This can be used to remotely exploit a vulnerable modem and gain complete control of it. The attacker can then install custom software on the vulnerable modem, which could be used for RCE. In a real attack scenario, the attacker would have to trust the software update provider to not corrupt their code or install something malicious.

Vulnerability details

CVE-2022-20210 is a vulnerability in the Siemens modem driver that can allow for remote exploitation. The vulnerability basically works by sending a malicious message to the modem, which causes it to crash when it tries to process it. This would result in an exploit of the vulnerable modem and complete control of it.
A common practice with software updates is cryptographic signing, which makes sure that the update being sent is legitimate and hasn't been corrupted or changed. However, this vulnerability allows someone to send a malicious message of their own making and have it be treated as legitimate, giving them complete control over the device. In reality, this type of exploit would require having some trust in your software provider not to corrupt their code or install something malicious on your computer.

Windows Management Instrumentation API (WMI)

The Windows Management Instrumentation API (WMI) is an interface that allows a program running on a Windows system to manage and view information about the computer or an attached device.
WMI may be vulnerable to attacks such as credential theft and remote code execution. In particular, it can be used to remotely exploit a vulnerable modem and gain complete control of it. The attacker can then install custom software on the vulnerable modem, which could be used for RCE. In a real attack scenario, the attacker would have to trust the software update provider.

WiFi Kill Switch

The Wifi Kill Switch is a feature in some WiFi routers that protects the devices connected to it by shutting off the internet access if someone is trying to hack the system. This prevents hackers from hacking into your home network, changing the settings, and stealing your data.

CVE-2022-20211

"If a modem receives a malicious message, it can crash with a segmentation fault. This is a crash with the same code as a false positive in a cryptographically signed software update, which makes it look like a real Windows update."
In this case, CVE-2022-20211 is about exploiting the vulnerability of modems that are vulnerable to CVE-2022-20210. More specifically, it is about attacking the modem and achieving remote code execution on the vulnerable device. The attacker would have to trust the software update provider not to corrupt their code or install something malicious.
The attacker would also have to trust that the firmware provider did not tamper with their firmware before sending them the update file. If they did, then the exploit will fail and no further action is necessary.

Timeline

Published on: 06/15/2022 14:15:00 UTC
Last modified on: 06/24/2022 03:27:00 UTC

References