Hughes Network Systems Broadband Global Area Network (BGAN) satellite terminal firmware contains multiple vulnerabilities

Overview

Firmware developed by Hughes Network Systems used in a number of BGAN satellite terminals contains undocumented hardcoded login credentials (CWE-798). Additionally, the firmware contains an insecure proprietary communications protocol, likely a debugging service, that allows unauthenticated local network users to perform privileged operations on the device (CWE-306).

Description

CWE-798: Use of Hard-coded Credentials - CVE-2013-6034

Firmware developed by Hughes Network Systems and used in numerous broadband satellite terminals contain hardcoded login credentials. Most of these devices are utilized for broadband connectivity through the Inmarsat satellite telecommunications network.

CWE-306: Missing Authentication for Critical Function - CVE-2013-6035

Additionally, these devices accept unauthenticated connections on TCP port 1827 from the local ethernet port. This port utilizes an insecure proprietary protocol which can be used to perform privileged operations on the device, such as reading and writing arbitrary memory. An unauthenticated local attacker could leverage this protocol to execute arbitrary code on vulnerable devices.

The satellite terminals from the following vendors use the affected firmware, however specific implementations may vary the exploitability of these vulnerabilities.

Harris Corporation:

* BGAN RF-7800B-VU204
* BGAN RF-7800B-DU204

Hughes Network Systems:

* 9502
* 9201
* 9450

Thuraya Telecommunications Company:

* IP

Japan Radio Corp., Ltd.:

* JUE-250
* JUE-500

CERT/CC has confirmed that the affected firmware is developed by Hughes Network Systems. GateHouse produces a BGAN network stack that is licensed to Hughes Network Systems, but the GateHouse software does not provide either of the vulnerable features. Please see the “Vendor Information” below for more details.

The CVSS score reflects CVE-2013-6035.

Impact

Depending on implementation, an unauthenticated attacker may be able to gain privileged access to the device. Additionally, an unauthenticated attacker on the local network may be able to execute arbitrary code on the device.

---

Solution

We are currently unaware of a practical solution to this problem.

---

Vendor Information

250358

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Harris Corporation __ Affected

Notified: November 25, 2013 Updated: June 24, 2014

Status

Affected

Vendor Statement

Information security and assurance is our highest priority in developing tactical radios and networking products for military and government customers.

We have carefully reviewed the IOActive report and spoken with all relevant parties, including the authors of the report, industry partners and government technical representatives.

Based upon our reviews and lengthy discussions, we are confident that both customer data and integrity of the terminal are secure in a typical use scenario and when customary physical security protocols are followed.

1. Physical access to the RF-7800B terminal is required under the scenarios defined in the report.

2. We are confident that it is not possible to gain access to the BGAN SATCOM terminal over a wireless satellite link.

3. User data is further-protected by inline network encryption with a manpack radio for information assurance.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hughes Network Systems, Inc. __ Affected

Notified: October 10, 2013 Updated: June 24, 2014

Status

Affected

Vendor Statement

There is no statement available from the vendor for this vulnerability

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GateHouse __ Not Affected

Notified: December 11, 2013 Updated: June 06, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

GateHouse produces BGAN network software used by the vulnerable firmware, but the GateHouse software does not provide the hard-coded credentials or the debugging service.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23250358 Feedback>).

Inmarsat __ Not Affected

Notified: October 10, 2013 Updated: June 12, 2014

Status

Not Affected

Vendor Statement

Inmarsat is the market leader in the provision of mobile satellite services, with the largest portfolio of global satellite communications solutions and value-added services on the market. Inmarsat owns and operates four constellations of communication satellites, comprising a total of 11 spacecraft. Inmarsat customers include but are not limited to merchant shipping, governments, airlines, the broadcast media, the oil and gas industry, mining, construction, and humanitarian aid agencies. These customers connect to the Inmarsat fleet of satellites using a variety of devices and related equipment, including global handheld satellite phones and notebook-size broadband internet devices, as well as specialist terminals and antennas fitted to ships, aircraft and road vehicles.

The IOActive researcher identified potential vulnerabilities in the firmware used by some Inmarsat terminal manufacturers.

It is important to stress that the IOActive researcher did not identify any potential vulnerabilities in the Inmarsat network. The potential vulnerabilities are related to firmware used by some vendors that manufacture terminals authorised for use over the Inmarsat network.

It is further important to stress that nature of the terminals operating over the Inmarsat network greatly limits the number and type of security threats which these terminals could potentially encounter. Terminals used on the Inmarsat network primarily operate as communications modems linked to the open Internet. These terminals that access Inmarsat services store no confidential user information and rely upon standard end-to-end IP security mechanisms (encryption) to protect any sensitive user traffic that may pass through them. In addition, the manufacturers have confirmed that, in the majority of instances, physical access to the terminal would be required to make any modification to the firmware.

Inmarsat has been in contact with each of the terminal vendors identified in the CERT Vulnerability Note, and continues to work with them as they publish individual terminal manufacturer responses.

Although, as the network operator, Inmarsat was not identified by IOActive as the source of these potential vulnerabilities, Inmarsat takes any issues relating to security very seriously. The company has therefore been in close contact with CERT and has also reached out to IOActive, to ensure that their research team fully understands the nature of satellite communications and how devices operate over the Inmarsat network.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Japan Radio Co Ltd Unknown

Notified: October 10, 2013 Updated: November 25, 2013

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Thuraya Unknown

Notified: October 10, 2013 Updated: November 25, 2013

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	5.7	AV:A/AC:M/Au:N/C:C/I:N/A:N
Temporal	4.8	E:U/RL:U/RC:C
Environmental	1.2	CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

• <http://rf.harris.com/capabilities/tactical-radios-networking/rf-7800b/default.asp&gt;
• <http://www.hughes.com/technologies/mobilesat-systems/mobile-satellite-terminals&gt;
• <http://www.thuraya.com/thuraya-ip&gt;
• <http://www.jrc.co.jp/eng/product/marine/application/comm_inmarsat.html&gt;
• <http://www.inmarsateu.net/&gt;
• <http://www.inmarsat.com/Support/detailsupport/bgan/Firmware/index.htm&gt;
• <http://www.inmarsat.com/Support/detailsupport/FleetBroadband/Firmware/index.htm&gt;
• <http://www.thuraya.com/product_upgrades/41&gt;
• <http://www.gatehouse.dk/&gt;
• <http://www.inmarsat.com/service/bgan/&gt;
• <http://en.wikipedia.org/wiki/BGAN&gt;

Acknowledgements

Thanks to IOActive researcher Ruben Santamarta for reporting this vulnerability.

This document was written by Todd Lewellen and Chris King.

Other Information

CVE IDs:	CVE-2013-6034, CVE-2013-6035
Date Public:	2014-01-31 Date First Published: