OvrC Platform Vulnerabilities Open IoT Devices to Remote Attacks and Code Execution

A security assessment of the OvrC cloud platform has revealed 10 vulnerabilities that, if chained together, could enable attackers to execute remote code on connected devices.

“Attackers who exploit these vulnerabilities could gain access to, control, and disrupt devices managed by OvrC, which include smart power supplies, cameras, routers, home automation systems, and more,” Claroty researcher Uri Katz detailed in a technical report.

Snap One’s OvrC—pronounced “oversee”—is promoted as an innovative support platform, allowing users to remotely manage, configure, and troubleshoot IoT devices across their network. According to the company, OvrC solutions are installed in over 500,000 locations globally.

According to a coordinated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), exploiting these vulnerabilities could enable attackers to “impersonate and claim devices, execute arbitrary code, and expose information about the affected device.”

The vulnerabilities impact both OvrC Pro and OvrC Connect, with the company addressing eight of them in May 2023 and releasing patches for the remaining two on November 12, 2024.

“Many of these vulnerabilities stem from insufficient attention to the device-to-cloud interface,” explained Katz. “In several cases, the main issue is the ability to cross-claim IoT devices due to weak identifiers or similar bugs. These range from weak access controls and authentication bypasses to failed input validation, hardcoded credentials, and remote code execution flaws.”

Consequently, a remote attacker could exploit these weaknesses to bypass firewalls, gain unauthorized access to the cloud-based management interface, and escalate their access. This access could then be used to enumerate, profile, and hijack devices, elevate privileges, and even execute arbitrary code.

The most severe of the flaws are listed below –

• CVE-2023-28649 (CVSS v4 score: 9.2), which allows an attacker to impersonate a hub and hijack a device
• CVE-2023-31241 (CVSS v4 score: 9.2), which allows an attacker to claim arbitrary unclaimed devices by bypassing the requirement for a serial number
• CVE-2023-28386 (CVSS v4 score: 9.2), which allows an attacker to upload arbitrary firmware updates resulting in code execution
• CVE-2024-50381 (CVSS v4 score: 9.1), which allows an attacker to impersonate a hub and unclaim devices arbitrarily and subsequently exploit other flaws to claim it

“With the increasing number of devices coming online daily and cloud management becoming the primary method for configuring and accessing services, the responsibility on manufacturers and cloud service providers to secure these devices and connections is greater than ever,” Katz stated. “The potential risks extend to connected power supplies, business routers, home automation systems, and more linked to the OvrC cloud.”

This disclosure follows Nozomi Networks’ report of three security vulnerabilities in EmbedThis GoAhead, a compact web server widely used in embedded and IoT devices. These flaws (CVE-2024-3184, CVE-2024-3186, and CVE-2024-3187) could lead to denial-of-service (DoS) attacks under specific conditions and have been addressed in GoAhead version 6.0.1.

Additionally, recent months have seen the identification of several security weaknesses in Johnson Controls’ exacqVision Web Service. These vulnerabilities could be exploited together to gain control of video streams from surveillance cameras connected to the application and compromise user credentials.