Multiple Vulnerabilities and the Cobham EXPLORER 710 SATCOM Terminal

Introduction

According to Cobham’s 2016 product data sheet, the EXPLORER 710 is a new-era Broadband Global Area Network (BGAN) satellite terminal capable of supporting high-data rate streaming (650 kbps wireless, 1+ mbps wired), personal smart device interoperability, and USB host interfaces. Simply put, this device is meant to connect remote users to the Internet. The Cobham company, according to their website, is, “Recognized as a world leading supplier of robust, high performance equipment and solutions that enable reliable connectivity anywhere, anytime, in the most demanding environments.” In other words, they supply satellite-capable connectivity devices to people who are out in the field, where a reliable network connection is not feasible. This can include journalists, explorers, humanitarian aid workers, and also our military. Granted, if the military is using these devices, then that should mean the devices have been approved under DoD instruction 8500. However, this may not be the case for some devices that may slip through the cracks, or are used by external personnel who are working with the military. Carnegie Mellon’s Cyber Emergency Readiness Team (CERT) has investigated these devices and discovered that the EXPLORER 710 suffers from multiple Common Vulnerabilities and Exposures (CVE).  

Vulnerability

In the CERT report, six CVE’s were named. However, for the sake of this summary, we will focus on three: CVE-2019-9532, CVE-2019-9533, and CVE-2019-9534. Each CVE will be referred to by the last four numbers in their title from here on, and affects firmware version 1.07 and earlier (unless otherwise specified). 9532 states that the web application portal sends the password in cleartext, 9533 states that the root password is the same for all firmware versions up to 1.08, inclusively, and 9534 states that the device does not validate its firmware image. What this means is, based on just these three CVE’s, Cobham EXPLORER 710 devices do not encrypt passwords when users log into the web portal, have a static root password that can be reverse-engineered from multiple firmware versions, and contains critical security holes in its firmware. 

Impact

The National Vulnerability Database (NVD) has scored each CVE with the following Common Vulnerability Scoring System’s (CVSS) score: 9532 at 7.8 critical, 9533 at 9.8 critical, and 9534 at 7.8 critical. 

9532 is considered a critical vulnerability, because password security is crucial for maintaining the confidentiality and integrity of the system/information. Transmitting passwords in cleartext allows unauthenticated, local attackers to intercept this information and use it to gain unauthorized access to the device. This could lead to an attacker obtaining sensitive information or causing damage to the system.

9533 is considered a critical vulnerability for a similar reason to 9532; password security is crucial. While root password security may not suffer from the same shortcomings, it can be exploited over the network and with relative ease. Since the root password  has not changed between the firmware’s initial release and version 1.08, an attacker could reverse-engineer the password from any version in between. The reason cracking this password is relatively easy is because attackers have quite a few options at hand when deciding on how to infiltrate the device, and they also have quite a few versions to choose from.

9534 is considered a critical vulnerability, because not verifying the firmware image can lead to uploads of custom firmware scripts that undermine the security of the device. If anything is allowed through the door, and those already inside the building aren’t identified, then the device may suffer from scripts that intercept/modify traffic, spoof/intercept GPS signals, exfiltrate sensitive information, hide backdoors, or cause a Denial of Service (DoS) attack. The impacts of exploiting this vulnerability are numerous and highly damaging.

Mitigation

According to the CERT article, their investigation is based on another team’s findings from 2014, which listed other vulnerabilities found in these Cobham devices. However, as of this writing, no official statements/solutions have been released since the NVD posted these new CVE’s on 10 October 2019.

In regards to mitigatory steps that general end users can take, 9533 can be solved by changing the default root password, but 9532 and 9534 may be too complicated. Savvy users/admins can implement some kind of login security, such as New Technology LAN Manager (NTLM). NTLM is a Windows-based authentication protocol that uses challenge/response messages, instead of password transmissions, to secure login sessions. NTLM could solve the password being sent in plaintext issue, but users still need to make sure the transmission of NTLM data is secured. Lastly, users could try to patch the firmware issues manually, but without universal support from Cobham, security will be inconsistent and spotty. If we also include the other CVE’s not mentioned in this summary, there doesn’t appear to be a streamlined solution available just yet.

References

“Communications and Connectivity.” Retrieved From: cobham.com. 01 Nov 2019.

“CVE-2019-9532 Detail.” Retrieved From: nvd.nist.gov/vuln. 30 Oct 2019.

“CVE-2019-9533 Detail.” Retrieved From: nvd.nist.gov/vuln. 30 Oct 2019.

“CVE-2019-9534 Detail.” Retrieved From: nvd.nist.gov/vuln. 30 Oct 2019.

“EXPLORER 710: High-Speed, Portable BGAN Terminal” Retrieved From: cobham.com. 30 Oct 2019.

“Microsoft NTLM.” Retrieved From: microsoft.com. 01 Nov 2019.

“Multiple vulnerabilities found in the Cobham EXPLORER 710 satcom terminal.” Retrieved From: kb.cert.org. 30 Oct 2019.