10 - VU#250358

Executive Summary

Summary
Title	Various Inmarsat broadband satellite terminals contain multiple vulnerabilities

Informations
Name	VU#250358	First vendor Publication	2014-01-31
Vendor	VU-CERT	Last vendor Modification	2014-02-14
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#250358

Various Inmarsat broadband satellite terminals contain multiple vulnerabilities

Original Release date: 31 Jan 2014 | Last revised: 14 Feb 2014

Overview

A number of broadband satellite terminals which utilize the Inmarsat satellite telecommunications network have been found to contain undocumented hardcoded login credentials (CWE-798). Additionally, these broadband satellite terminals utilize an insecure proprietary communications protocol that allows unauthenticated users to perform privileged operations on the devices (CWE-306).

Description

CWE-798: Use of Hard-coded Credentials - CVE-2013-6034

According to IOActive security researcher Ruben Santamarta, numerous broadband satellite terminals which connect to the Inmarsat satellite telecommunications network contain hardcoded login credentials.

CWE-306: Missing Authentication for Critical Function - CVE-2013-6035

Additionally, these devices accept unauthenticated connections on TCP port 1827. This port utilizes an insecure proprietary protocol which can be used to perform privileged operations on the device, such as reading and writing arbitrary memory. An unauthenticated attacker could leverage this protocol to execute arbitrary code on the broadband satellite terminals.

According to Santamarta, the following satellite terminals from the following vendors are affected:

Harris Corporation:

BGAN RF-7800B-VU204
BGAN RF-7800B-DU204

Hughes Network Systems:

9502
9201
9450

Thuraya Telecommunications Company:

Japan Radio Corp., Ltd.:

JUE-250
JUE-500

At this time, CERT/CC believes the affected firmware was jointly developed by GateHouse and Hughes Network Systems. A GateHouse representative confirmed that GateHouse was involved in the development of the firmware, but claims that GateHouse is not the author of the vulnerable portions of the firmware code. A representative of Hughes Network Systems acknowledged receipt of the vulnerability report but has declined to respond to further inquiries.

The CVSS score reflects CVE-2013-6035.

Impact

A remote unauthenticated attacker may be able to gain privileged access to the device. Additionally, a remote unauthenticated attacker may be able to execute arbitrary code on the device.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
GateHouse	Unknown	11 Dec 2013	11 Dec 2013
Harris Corporation	Unknown	25 Nov 2013	25 Nov 2013
Hughes Network Systems, Inc.	Unknown	10 Oct 2013	10 Oct 2013
Inmarsat	Unknown	10 Oct 2013	25 Nov 2013
Japan Radio Co Ltd	Unknown	10 Oct 2013	25 Nov 2013
Thuraya	Unknown	10 Oct 2013	25 Nov 2013

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.6	AV:N/AC:H/Au:N/C:C/I:C/A:C
Temporal	6.1	E:U/RL:U/RC:UR
Environmental	1.5	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

http://rf.harris.com/capabilities/tactical-radios-networking/rf-7800b/default.asp
http://www.hughes.com/technologies/mobilesat-systems/mobile-satellite-terminals
http://www.thuraya.com/thuraya-ip
http://www.jrc.co.jp/eng/product/marine/application/comm_inmarsat.html
http://www.inmarsateu.net/
http://www.inmarsat.com/Support/detailsupport/bgan/Firmware/index.htm
http://www.inmarsat.com/Support/detailsupport/FleetBroadband/Firmware/index.htm
http://www.thuraya.com/product_upgrades/41
http://www.gatehouse.dk/

Credit

Thanks to IOActive researcher Ruben Santamarta for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

CVE IDs:CVE-2013-6034CVE-2013-6035
Date Public:31 Jan 2014
Date First Published:31 Jan 2014
Date Last Updated:14 Feb 2014
Document Revision:30

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/250358

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-287	Improper Authentication
50 %	CWE-255	Credentials Management

CPE : Common Platform Enumeration

Type	Description	Count
Hardware	Gatehouse cpe:2.3:h:gatehouse:gatehouse:-:::::::*	1
Hardware	Harris Bgan cpe:2.3:h:harris:bgan:rf-7800b-vu204:::::::* cpe:2.3:h:harris:bgan:rf-7800b-du204:::::::*	2
Hardware	Hughes Network Systems 9201 cpe:2.3:h:hughes_network_systems:9201:-:::::::*	1
Hardware	Hughes Network Systems 9450 cpe:2.3:h:hughes_network_systems:9450:-:::::::*	1
Hardware	Hughes Network Systems 9502 cpe:2.3:h:hughes_network_systems:9502:-:::::::*	1
Hardware	Inmarsat cpe:2.3:h:inmarsat:inmarsat:-:::::::*	1
Hardware	Japan Radio Jue-250 cpe:2.3:h:japan_radio:jue-250:-:::::::*	1
Hardware	Japan Radio Jue-500 cpe:2.3:h:japan_radio:jue-500:-:::::::*	1
Hardware	Thuraya Telecommunications Ip cpe:2.3:h:thuraya_telecommunications:ip:-:::::::*	1

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-14 17:18:28	Multiple Updates
2014-02-05 13:23:04	Multiple Updates
2014-02-04 13:22:19	Multiple Updates
2014-01-31 21:19:16	First insertion

Global Informations

Type	Count
CWE ID(s)	2
CPE ID(s)	10

	Related
10	CVE-2013-6035
10	CVE-2013-6034
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)