10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
77.6%
CERT/CC researchers examined the satcom terminal Cobham EXPLORER 710 as an expansion of work from IOActive’s findings in 2014. They discovered multiple new vulnerabilities affecting the device and the firmware, some of which could allow an unauthenticated, local attacker to gain access to sensitive information or complete control of the device.
The Cobham EXPLORER 710 is a portable satellite terminal used to provide satellite telecommunications and internet access. For consistency, “device” mentioned in the following section is defined as the Cobham EXPLORER 710. The affected firmware version is 1.07 for all of the vulnerabilities listed below unless otherwise noted.
CVE-2019-9529
The web application portal has no authentication by default. This could allow an unauthenticated, local attacker connected to the device to access the portal and to make any change to the device.
CVE-2019-9530
The web root directory has no access restrictions on downloading and reading all files. This could allow an unauthenticated, local attacker connected to the device to access and download any file found in the web root directory.
CVE-2019-9531
The web application portal allows unauthenticated access to port 5454 on the device. This could allow an unauthenticated, remote attacker to connect to this port via Telnet and execute 86 Attention (AT) commands, including some that provide unauthenticated, shell-like access to the device.
CVE-2019-9532
The web application portal sends the login password in cleartext. This could allow an unauthenticated, local attacker to intercept the password and gain access to the portal.
CVE-2019-9533
The root password for the device is the same for all versions of firmware up to and including v1.08. This could allow an attacker to reverse-engineer the password from available versions to gain authenticated access to the device.
CVE-2019-9534
The device does not validate its firmware image. Development scripts left in the firmware can be used to upload a custom firmware image that the device runs. This could allow an unauthenticated, local attacker to upload their own firmware that could be used to intercept or modify traffic, spoof or intercept GPS traffic, exfiltrate private data, hide a backdoor, or cause a denial-of-service. The CVSS score below reflects the score for this CVE in particular.
In addition to the findings above, we have found some configuration issues within the device that can leave it vulnerable to attackers. The default WiFi password is publicly documented as the serial number of the device and can be easily brute forced. Additionally, important security headers are missing, which leaves the device vulnerable to cross-site scripting and clickjacking.
The impacts of these vulnerabilities are that an unauthenticated, local attacker could intercept traffic that may include passwords or sensitive data, remotely execute commands on the device, access files that should be restricted, and make changes to the device that could include uploading custom firmware for control over it.
The CERT/CC is currently unaware of a practical solution to these problems.
719689
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 24, 2019 Updated: October 01, 2019
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 6.9 | AV:L/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 6.9 | E:ND/RL:ND/RC:ND |
Environmental | 6.9 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
This document was written by Kyle O’Meara and David Belasco of the CERT Coordination Center of the Carnegie Mellon Software Engineering Institute.
CVE IDs: | [CVE-2019-9529 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-9529 >), CVE-2019-9530, CVE-2019-9531, CVE-2019-9532, CVE-2019-9533, CVE-2019-9534 |
---|---|
Date Public: | 2019-10-09 Date First Published: |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
77.6%