OvrC Cloud Platform Flaws Open IoT Devices to Remote Attacks and Code Execution

November 13, 2024

An investigation into the security of the OvrC cloud platform has revealed ten vulnerabilities that, if exploited, could allow attackers to execute code remotely on devices connected to the platform. As explained by Uri Katz, a researcher at Claroty, 'Attackers successfully exploiting these vulnerabilities can access, control, and disrupt devices supported by OvrC.' These devices include smart electrical power supplies, cameras, routers, and home automation systems among others.

OvrC, developed by Snap One and pronounced 'oversee', is marketed as a groundbreaking support platform that allows both homeowners and businesses to manage, configure, and troubleshoot IoT devices on their network remotely. The platform is reportedly used at over half a million end-user locations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in coordination with the findings, stating that successful exploitation of these vulnerabilities could allow an attacker to 'impersonate and claim devices, execute arbitrary code, and disclose information about the affected device.' The vulnerabilities have been found to impact OvrC Pro and OvrC Connect. Snap One has released fixes for eight of these vulnerabilities in May 2023, and the remaining two were addressed on November 12, 2024.

Katz pointed out that many of these vulnerabilities stem from neglecting the device-to-cloud interface. The core issue, in many cases, is the ability to cross-claim IoT devices due to weak identifiers or similar bugs. These vulnerabilities range from weak access controls, authentication bypasses, failed input validation, hardcoded credentials, and remote code execution flaws. As a result, a remote attacker could exploit these weaknesses to bypass firewalls and gain unauthorized access to the cloud-based management interface. This access could then be used to enumerate and profile devices, hijack devices, elevate privileges, and even run arbitrary code.

In addition to the OvrC vulnerabilities, Nozomi Networks has detailed three security flaws impacting EmbedThis GoAhead, a compact web server used in embedded and IoT devices. These vulnerabilities (CVE-2024-3184, CVE-2024-3186, and CVE-2024-3187) could lead to a denial-of-service (DoS) under specific conditions and have been patched in GoAhead version 6.0.1.

In recent months, several security issues have also been uncovered in Johnson Controls' exacqVision Web Service. These could be combined to take control of video streams from surveillance cameras connected to the application and steal credentials.

Latest News

• End-of-Life D-Link NAS Devices Under Attack Due to Critical Bug
• Amazon Employee Data Exposed in Third-Party MOVEit Breach
• Most Exploited Cybersecurity Vulnerabilities of 2023 Revealed by FBI, CISA, and NSA
• Emerging Remcos RAT Targets Microsoft Users: Full Device Takeover Threat
• CFPB Advises Employees to Limit Phone Use Following Salt Typhoon Hack