Satlink VSAT modem vulnerabilities open door to cross-site scripting attacks


Two vulnerabilities in SatLink 2000 VSAT modem could enable hackers to carry out cross-site scripting attacks and sniff sensitive data traversing the modem

Security researchers have divulged two vulnerabilities in the SatLink 2000 VSAT modem that could enable hackers to carry out cross-site scripting attacks and sniff sensitive data traversing the modem.

VSAT modems are hardware devices typically found in offshore environments or remote areas where satellite communications are necessary for Internet access.

According to Trustwave SpiderLabs security researcher Robert Foggia, the first vulnerability is a reflected Cross-site Scripting issue that affects SatLink 2000, SatLink 2900, and SatLink 2910 running the VMU software version prior to 18.1.0.

Foggia said that the web interface didn't properly sanitise input for error messages, which allowed the ability to inject arbitrary client-side code. This vulnerability has been assigned CVE-2019-15652.

The second issue he discovered was that the device only supported insecure protocols such as HTTP and Telnet.

"These cleartext protocols would allow an attacker to sniff for credentials or other sensitive information over the wire, insert unintended data, or hijack entire management sessions," he said.

The flaws were discovered in May this year, but can now only be revealed now that SatLink has recently released firmware updates based on issues disclosed to them. 

"SatLink was very communicative with us during the responsible disclosure process, which is rare in my experience. While they were unable to produce a fix within the 90-day deadline outlined by our policy, just by being responsive with regular updates allowed us to provide the flexibility necessary for a patch to be released," he said.

"When your end goal is to make things more secure, publicly releasing vulnerability details when no patch is available (aka "full disclosure") should be a last-ditch effort."

In the latest 18.1.0 build, SatLink added SSHv2 and HTTPS support for both SatLink 2900 and SatLink 2910.

Fortunately these vulnerabilities were in VSAT modems, which aren't as widely used as traditional modems, said Javvad Malik, security awareness advocate at KnowBe4. 

"Any customers that have these devices should apply the available patches as soon as possible to protect themselves from any attacks using these vulnerabilities. Unpatched public-facing software is among the biggest vectors through which criminals gain access to companies and, remains one of the biggest challenges for organisations to stay on top of," he told SC Media UK.

The SatLink vulnerabilities are prime examples of why it is so important to design every system with security in mind, noted Stuart Sharp, VP of solution engineering at OneLogin.

"Without encrypted communication, any system will be vulnerable to sniffing attacks. For companies using SatLink systems, it’s vital that they upgrade immediately, change their existing administrator credentials and configure their systems to use SSHv2 and HTTPS," Sharp told SC Media UK.

"NSSLGlobal should also consider supporting 2FA for access to admin consoles — offline One Time Password solutions are readily available and are now common across many IT platforms," he added.

More details of the vulnerabilities can be found here.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews