Vulnerability Note VU#882207

Cobham Aviator satellite terminals contain multiple vulnerabilities

Original Release date: 07 Aug 2014 | Last revised: 18 Sep 2014

Overview

Cobham Aviator 700D and 700E satellite terminals contain multiple vulnerabilities.

Description

Cobham Aviator 700D and 700E satellite communication terminals contain the following vulnerabilities:

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2014-2942 (Please note that the CVE for this vulnerability has been changed from CVE-2014-2943 to CVE-2014-2942 due to a duplicate CVE identifier.)
IOActive reports that Cobham satellite terminals utilize a risky algorithm to generate a PIN code for accessing the terminal. The algorithm is reversible and allows a local attacker to generate a superuser PIN code.

CWE-798: Use of Hard-coded Credentials - CVE-2014-2964
IOActive reports that certain privileged commands in the the satellite terminals require a password to execute. The commands debug, prod, do160, and flrp have hardcoded passwords. A local attacker may be able to gain unauthorized privileges using these commands.

The vendor Cobham has provided the following statement:
Cobham SATCOM has found that potential exploitation of the vulnerabilities presented requires either physical access to the equipment or connectivity to the maintenance part of the network, which also requires a physical presence at the terminal. Specifically, in the aeronautical world, there are very strict requirements for equipment installation and physical access to the equipment is restricted to authorized personnel.

The described hardcoded credentials are only accessible via the maintenance port connector on the front-plate and will require direct access to the equipment via a serial port. The SDU is installed in the avionics bay of the aircraft, and is not accessible for unauthorized personnel.

Cobham SATCOM will continue to evaluate any potential vulnerabilities with its equipment and implement increased security measures if required.

Impact

A local unauthenticated attacker may be able to gain full control of the satellite terminal.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Cobham plcAffected14 Jan 201428 Jul 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
Temporal 6.2 E:POC/RL:U/RC:C
Environmental 2.0 CDP:H/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Ruben Santamarta for reporting this vulnerability.

This document was written by Chris King.

Other Information

  • CVE IDs: CVE-2014-2942 CVE-2014-2964
  • Date Public: 07 Aug 2014
  • Date First Published: 07 Aug 2014
  • Date Last Updated: 18 Sep 2014
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.