Software Engineering Institute

Cobham Aviator 700D and 700E satellite communication terminals contain the following vulnerabilities:

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2014-2942 (Please note that the CVE for this vulnerability has been changed from CVE-2014-2943 to CVE-2014-2942 due to a duplicate CVE identifier.)
IOActive reports that Cobham satellite terminals utilize a risky algorithm to generate a PIN code for accessing the terminal. The algorithm is reversible and allows a local attacker to generate a superuser PIN code.

CWE-798: Use of Hard-coded Credentials - CVE-2014-2964
IOActive reports that certain privileged commands in the the satellite terminals require a password to execute. The commands debug, prod, do160, and flrp have hardcoded passwords. A local attacker may be able to gain unauthorized privileges using these commands.

The vendor Cobham has provided the following statement:
Cobham SATCOM has found that potential exploitation of the vulnerabilities presented requires either physical access to the equipment or connectivity to the maintenance part of the network, which also requires a physical presence at the terminal. Specifically, in the aeronautical world, there are very strict requirements for equipment installation and physical access to the equipment is restricted to authorized personnel.

The described hardcoded credentials are only accessible via the maintenance port connector on the front-plate and will require direct access to the equipment via a serial port. The SDU is installed in the avionics bay of the aircraft, and is not accessible for unauthorized personnel.

Cobham SATCOM will continue to evaluate any potential vulnerabilities with its equipment and implement increased security measures if required.

A local unauthenticated attacker may be able to gain full control of the satellite terminal.

The CERT/CC is currently unaware of a practical solution to this problem.