Iridium Communications Inc. Information for VU#578598

Iridium Pilot and OpenPort contain multiple vulnerabilities

Status

Affected

Vendor Statement

For CVE-2014-0326:

    Iridium is aware of this vulnerability and has taken the necessary steps to address it. We are detecting and blocking use of the identified credentials at the edge where the Iridium network connects to public terrestrial networks. Since all Pilots can only be addressed through the Iridium network, this effectively blocks any remote unauthorized use of the credentials. Iridium has also made changes to the Pilot firmware and this will be released through our normal software release process.

    For CVE-2014-0327:
    Iridium is aware of this vulnerability and does not believe it is viable. The firmware upgrade tool described is provided only to service providers, and will not work remotely, the tool must be run on a PC which is directly connected to the on ship Pilot’s BDE (below deck equipment). Any remote attempt to upgrade the firmware will disable the Iridium network connection and the software upgrade will abort. In addition, it is not technically feasible to create a “malicious” version of the firmware as the PILOT has a proprietary Operating system, processor and tool set.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    None

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.