Published: 2023-DEC-13 09:42 PM

Last Edited: 2023-DEC-14 11:55 AM

Digital Communications Technologies is aware and has released patches associated with the Open-Source Software security vulnerability: CVE-2023-6248. Through our investigation, we found that these affect a subset of our products and as of today, we have addressed them as outlined below.

CVE-2023-6248

What was found?

The Syrus 4 IoT gateway had a security flaw involving communication with an unsecured MQTT server. This allowed a remote attacker to execute commands to devices they had knowledge about. It also allowed attackers to access diagnostics from the devices.

What was affected?

The platform: Syrus Cloud.

What was the fix?

We enforced ACLs on the MQTT cluster, ensuring only specific authenticated users could write to the commands pipeline.
A hardware update is being rolled out that will enable MQTT over TLS for secure encryption, along with refreshed credentials for the devices.

What do I need to do?

You do not need to take any actions as the fix was deployed on the cloud components – Syrus Cloud.

References

Additional updates will be released in the official NIST and CVE webpages.

• CVE 2023-6248

• National Vulnerability Database

Acknowledgements

Digital Communications Technologies recognizes the efforts of those in the security community who helped find this vulnerability. Special thanks to

• CISA – https://www.cisa.gov/
• ASRG – https://asrg.io/