Vulnerability Note VU#250358

Various Inmarsat broadband satellite terminals contain multiple vulnerabilities

Original Release date: 31 Jan 2014 | Last revised: 14 Feb 2014

Overview

A number of broadband satellite terminals which utilize the Inmarsat satellite telecommunications network have been found to contain undocumented hardcoded login credentials (CWE-798). Additionally, these broadband satellite terminals utilize an insecure proprietary communications protocol that allows unauthenticated users to perform privileged operations on the devices (CWE-306).

Description

CWE-798: Use of Hard-coded Credentials - CVE-2013-6034

According to IOActive security researcher Ruben Santamarta, numerous broadband satellite terminals which connect to the Inmarsat satellite telecommunications network contain hardcoded login credentials.

CWE-306: Missing Authentication for Critical Function - CVE-2013-6035

Additionally, these devices accept unauthenticated connections on TCP port 1827. This port utilizes an insecure proprietary protocol which can be used to perform privileged operations on the device, such as reading and writing arbitrary memory. An unauthenticated attacker could leverage this protocol to execute arbitrary code on the broadband satellite terminals.

According to Santamarta, the following satellite terminals from the following vendors are affected:

Harris Corporation:

  • BGAN RF-7800B-VU204
  • BGAN RF-7800B-DU204

Hughes Network Systems:
  • 9502
  • 9201
  • 9450

Thuraya Telecommunications Company:
  • IP

Japan Radio Corp., Ltd.:
  • JUE-250
  • JUE-500

At this time, CERT/CC believes the affected firmware was jointly developed by GateHouse and Hughes Network Systems. A GateHouse representative confirmed that GateHouse was involved in the development of the firmware, but claims that GateHouse is not the author of the vulnerable portions of the firmware code. A representative of Hughes Network Systems acknowledged receipt of the vulnerability report but has declined to respond to further inquiries.

The CVSS score reflects CVE-2013-6035.

Impact

A remote unauthenticated attacker may be able to gain privileged access to the device. Additionally, a remote unauthenticated attacker may be able to execute arbitrary code on the device.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
GateHouseUnknown11 Dec 201311 Dec 2013
Harris CorporationUnknown25 Nov 201325 Nov 2013
Hughes Network Systems, Inc.Unknown10 Oct 201310 Oct 2013
InmarsatUnknown10 Oct 201325 Nov 2013
Japan Radio Co LtdUnknown10 Oct 201325 Nov 2013
ThurayaUnknown10 Oct 201325 Nov 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C
Temporal 6.1 E:U/RL:U/RC:UR
Environmental 1.5 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to IOActive researcher Ruben Santamarta for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs: CVE-2013-6034 CVE-2013-6035
  • Date Public: 31 Jan 2014
  • Date First Published: 31 Jan 2014
  • Date Last Updated: 14 Feb 2014
  • Document Revision: 30

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.