CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.2%
Inmarsat Solutions offers a shipboard email client service, AmosConnect 8 (AC8), which was designed to be utilized over satellite networks in a highly optimized manner. IOActive has identified two security vulnerabilities in the client software: On-board ship network access could provide visibility of user names and passwords configured on the client device. A backdoor account has been identified in the client that provides full system privileges. This vulnerability could be exploited remotely. An attacker with high skill would be able to exploit this vulnerability. AmosConnect 8 has been deemed end of life, and no longer supported. Inmarsat customers must contact Inmarsat Customer Service to obtain the replacement mail client software.
CWE-89:**Blind SQL Injection in Login Form **- CVE-2017-3221
Unauthenticated attackers having network access to the AmosConnect Server can exploit a Blind SQL Injection vulnerability in the login form to gain access to credentials stored in its internal database, containing user names and passwords.
CWE-798**:**Use of Hard-coded Credentials- CVE-2017-3222
Attackers having network access to an AmosConnect server can log into it using a backdoor account that has full system privileges. Among other things, this vulnerability allows attackers to execute commands with SYSTEM privileges on the remote system by abusing AmosConnect Task Manager.
Successful exploitation of this vulnerability may allow a remote attacker to access or influence AmosConnect 8 email databases on computers that are installed onboard ships.
AmosConnect 8 has been deemed End of Life, and no longer supported.
* Customers are no longer able to activate software installer for AC8. This was removed from the software distribution website.
* It is no longer possible to activate a new AC8 license.
* As of July 2017, support for AC8 shall be discontinued, and clients will no longer be able to use the software.
* The software download for the current version of AC8.4 has been removed from the Inmarsat website.
As of July 2017, support for The Inmarsat AmosConnect8 service has been decommissioned and clients will no longer be able to download the software from the software distribution website. Customers can contact Inmarsat Customer Service to obtain further information/updates for the replacement email client.
The following versions of AmosConnect 8 are affected:
Client Version | Release Date |
---|---|
8.0, 8.0.1, 8.0.2 | June 17, 2010 |
8.2.0 | February 11, 2011 |
8.2.1 | June 9, 2011 |
8.2.2 | September 13, 2011 |
8.3.0, 8.3.1 | January 23, 2012 |
8.4.0 | November 20, 2013 |
8.4.0.1 | November 20, 2013 |
Javascript is disabled. Click here to view vendors.
Group | Score | Vector |
---|---|---|
Base | 0 | AV:β/AC:β/Au:β/C:β/I:β/A:β |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
These vulnerabilities were reported by Mario Ballano of IOActive Labs.
This document was written by Laurie Tyzenhaus.
CVE IDs: | CVE-2017-3221, CVE-2017-3222 |
---|---|
Date Public: | 2017-07-20 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.2%