search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Furuno Voyage Data Recorder (VDR) moduleserv firmware update utility fails to properly sanitize user-provided input

Vulnerability Note VU#820196

Original Release Date: 2016-01-04 | Last Revised: 2016-01-04

Overview

Furuno Voyage Data Recorder (VDR) VR-3000/VR-3000S and VR-7000 moduleserv firmware update utility fails to properly sanitize user-provided input and is vulnerable to arbitrary command execution with root privileges.

Description

According to the Furuno VDR product page, the VDR "records all crucial data to identify the cause of maritime casualty as well as contribute to the future prevention of the catastrophe of any kind."

Multiple versions of Furuno VDR VR-3000/VR-3000S and VR-7000 contain a firmware update utility called moduleserv that listens on TCP port 10110. The moduleserv service fails to properly sanitize user-provided input, which an unauthenticated attacker may leverage to execute arbitrary commands with root privileges. For more information, refer to the blog post by IOActive.

Impact

An unauthenticated attacker with network access to affected devices can execute arbitrary commands with root privileges.

Solution

Apply an update

The vendor has released updates to address this vulnerability. Updates should be applied as follows.

For the VR-3000/VR-3000S:

    • V1.50 through V1.54 should be updated to V1.56
    • V1.61 should be updated to V1.62
    • V2.06 through V2.54 should be updated to V2.56
    • V2.60 through V2.61 should be updated to V2.62
For the VR-7000:
    • V1.02 should be updated to V1.04

Vendor Information

820196
 
Expand all

Furuno Affected

Updated:  December 22, 2015

Status

Affected

Vendor Statement

Vendor Name: FURUNO ELECTRIC CO., LTD.

Status: Affected
Statement:
FURUNO ELECTRIC CO., LTD. was notified of IO Active report
concerning potential vulnerability of our Voyage Data Recorder
(VDR). Having looked into the nature of the report, we have
released the software update to resolve the potential problem.
The details of the countermeasures are posted onto
http://www.furuno.co.jp/en/news/notice/20151225_001.html
Japanese Link:
http://www.furuno.co.jp/news/notice

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 6.2 E:POC/RL:OF/RC:UR
Environmental 1.8 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Ruben Santamarta of IOActive for reporting this vulnerability. Thanks to JPCERT/CC for coordinating with the vendor.

This document was written by Joel Land.

Other Information

CVE IDs: None
Date Public: 2015-01-04
Date First Published: 2016-01-04
Date Last Updated: 2016-01-04 13:19 UTC
Document Revision: 24

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis