Vulnerability Note VU#250358

Hughes Network Systems Broadband Global Area Network (BGAN) satellite terminal firmware contains multiple vulnerabilities

Original Release date: 31 Jan 2014 | Last revised: 24 Jun 2014

Overview

Firmware developed by Hughes Network Systems used in a number of BGAN satellite terminals contains undocumented hardcoded login credentials (CWE-798). Additionally, the firmware contains an insecure proprietary communications protocol, likely a debugging service, that allows unauthenticated local network users to perform privileged operations on the device (CWE-306).

Description

CWE-798: Use of Hard-coded Credentials - CVE-2013-6034

Firmware developed by Hughes Network Systems and used in numerous broadband satellite terminals contain hardcoded login credentials. Most of these devices are utilized for broadband connectivity through the Inmarsat satellite telecommunications network.

CWE-306: Missing Authentication for Critical Function - CVE-2013-6035

Additionally, these devices accept unauthenticated connections on TCP port 1827 from the local ethernet port. This port utilizes an insecure proprietary protocol which can be used to perform privileged operations on the device, such as reading and writing arbitrary memory. An unauthenticated local attacker could leverage this protocol to execute arbitrary code on vulnerable devices.

The satellite terminals from the following vendors use the affected firmware, however specific implementations may vary the exploitability of these vulnerabilities.

Harris Corporation:

  • BGAN RF-7800B-VU204
  • BGAN RF-7800B-DU204

Hughes Network Systems:
  • 9502
  • 9201
  • 9450

Thuraya Telecommunications Company:
  • IP

Japan Radio Corp., Ltd.:
  • JUE-250
  • JUE-500

CERT/CC has confirmed that the affected firmware is developed by Hughes Network Systems. GateHouse produces a BGAN network stack that is licensed to Hughes Network Systems, but the GateHouse software does not provide either of the vulnerable features. Please see the "Vendor Information" below for more details.

The CVSS score reflects CVE-2013-6035.

Impact

Depending on implementation, an unauthenticated attacker may be able to gain privileged access to the device. Additionally, an unauthenticated attacker on the local network may be able to execute arbitrary code on the device.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Harris CorporationAffected25 Nov 201324 Jun 2014
Hughes Network Systems, Inc.Affected10 Oct 201324 Jun 2014
GateHouseNot Affected11 Dec 201306 Jun 2014
InmarsatNot Affected10 Oct 201312 Jun 2014
CVE RequestUnknown12 Jun 201412 Jun 2014
Japan Radio Co LtdUnknown10 Oct 201325 Nov 2013
ThurayaUnknown10 Oct 201325 Nov 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.7 AV:A/AC:M/Au:N/C:C/I:N/A:N
Temporal 4.8 E:U/RL:U/RC:C
Environmental 1.2 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to IOActive researcher Ruben Santamarta for reporting this vulnerability.

This document was written by Todd Lewellen and Chris King.

Other Information

  • CVE IDs: CVE-2013-6034 CVE-2013-6035
  • Date Public: 31 Jan 2014
  • Date First Published: 31 Jan 2014
  • Date Last Updated: 24 Jun 2014
  • Document Revision: 65

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.