UPDATE Researchers are warning of two critical vulnerabilities in global satellite telecommunications company Inmarsat’s SATCOM systems. The vulnerabilities impact thousands of customers running the newest version of its AmosConnect platform, typically found on maritime sea vessels, according to researchers at IOActive.
Researchers warn communication systems running the AmosConnect 8 platform are exposed to vulnerabilities that could give an attacker full administrative privileges and allow a remote attacker to access user credentials.
“Given the nature of the companies that use this equipment and the types of back-end systems they connect to, we view this as a critical vulnerability,” said Mario Ballano, principal security consultant at IOActive in an interview with Threatpost.
Inmarsat initially did not respond to requests to comment for this story. But in a statement issued Thursday the company said, “When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed.”
AmosConnect 8 is a PC-based SATCOM service that integrates a bevy of communication tools such as email, fax, telex, GSM text and interoffice communication. AmosConnect 8 was introduced in 2010 by a division of Inmarsat called Stratos Global. Stratos was acquired by Inmarsat in 2009 and continues to operate as an independent company.
One of the vulnerabilities (CVE-2017-3221) is a blind SQL injection flaw found in AmosConnect 8’s login form that allows attackers already on the network to access user credentials of other users, including user names and passwords. “The server stores usernames and passwords in plaintext, making this vulnerability trivial to exploit,” IOActive said in a report released today explaining its research.
Attackers exploit this vulnerability by using specially crafted requests to attempt log into the AmosConnect 8 service and retrieve credentials from the POST responses, Ballano said.
“The blind SQL injection is found in a login form, and a backdoor account that provides full system privileges that could allow remote unauthenticated attackers to execute arbitrary code on the AmosConnect server,” said Ballano. “If compromised, this flaw can be leveraged to gain unauthorized network access… and potentially open access to other connected systems.”
The second bug (CVE-2017-3222) is tied to hard-coded credentials found in AmosConnect 8 that allow remote attackers to gain full administrative privileges and the ability to execute commands on targeted systems, according to the CVE record.
In one example, where a user is logging into AmosConnect 8, the AmosConnect server ID is exposed in the login screen. Next, the SysAdmin password associated with the server ID can be exposed via a series of specific authentication attempts.
“Among other things, this vulnerability allows attackers to execute commands with SYSTEM privileges on the remote (Windows) system by abusing AmosConnect Task Manager,” according to the IOActive report.
In its statement, Inmarsat countered: “It is important to note that this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. While remote access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls.”
“We have reported these vulnerabilities but there is no fix for them, as Inmarsat has discontinued AmosConnect 8, announcing its end-of-life in June 2017,” wrote IOActive.
Customers running AmosConnect 8 are advised to roll back their systems to AmosConnect 7.
“Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive’s report and, in 2016, we communicated to our customers that the service would be terminated in July 2017,” according to the company’s statement. “Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.”
IOActive said it identified the vulnerabilities and notified Inmarsat of the threats in September 2016. Inmarsat notified customers on Nov. 1, 2016 that AmosConnect 8 would reach end of life on June 30, 2017. No mention was made of vulnerabilities in its official notification at the time.
“These vulnerabilities pose a serious security risk. Attackers might be able to obtain corporate data, take over the server to mount further attacks, or pivot within the vessel networks,” wrote IOActive researchers.
(Story was updated Oct. 26 at 10:20 ET with Inmarsat’s statement)