Details of VAR-201408-0145

ID

VAR-201408-0145

CVE

CVE-2014-0326

TITLE

Iridium Pilot and OpenPort contain multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#578598

DESCRIPTION

The Pilot Below Deck Equipment (BDE) and OpenPort implementations on Iridium satellite terminals allow remote attackers to read hardcoded credentials via the web interface. Additionally, these broadband satellite terminals utilize an insecure proprietary communications protocol that allows unauthenticated users to perform privileged operations on the devices (CWE-306). Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. http://cwe.mitre.org/data/definitions/798.htmlBy a third party Web There is a possibility that hard-coded credentials can be read through the interface. Iridium OpenPort is a marine satellite terminal product. Iridium Pilot and OpenPort built-in accounts have information disclosure vulnerabilities. The device's administrator authentication credentials cannot be changed, allowing attackers to exploit the vulnerability for unauthorized access. Affected devices

Trust: 3.15

sources: NVD: CVE-2014-0326 // CERT/CC: VU#578598 // JVNDB: JVNDB-2014-003825 // CNVD: CNVD-2014-05034 // BID: 69158

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-05034

AFFECTED PRODUCTS

vendor:	iridium	model:	open port	scope:	eq	version:	-	Trust: 1.6
vendor:	iridium	model:	pilot below deck equipment	scope:	eq	version:	-	Trust: 1.6
vendor:	iridium	model:	pilot	scope:	-	version:	-	Trust: 1.4
vendor:	iridium	model:	openport	scope:	-	version:	-	Trust: 1.4
vendor:	iridium	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	iridium	model:	communications pilot	scope:	eq	version:	0	Trust: 0.3
vendor:	iridium	model:	communications openport	scope:	eq	version:	0	Trust: 0.3

sources: CERT/CC: VU#578598 // CNVD: CNVD-2014-05034 // BID: 69158 // JVNDB: JVNDB-2014-003825 // CNNVD: CNNVD-201408-136 // NVD: CVE-2014-0326

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0326
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-0326
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-05034
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201408-136
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2014-0326
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-05034
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-05034 // JVNDB: JVNDB-2014-003825 // CNNVD: CNNVD-201408-136 // NVD: CVE-2014-0326

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-798	Trust: 0.8
problemtype:	CWE-306	Trust: 0.8
problemtype:	CWE-Other	Trust: 0.8

sources: CERT/CC: VU#578598 // JVNDB: JVNDB-2014-003825 // NVD: CVE-2014-0326

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201408-136

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201408-136

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003825

PATCH

title:	Iridium OpenPort	url:	http://iridium.com/products/Iridium-OpenPort.aspx?productCategoryID=30	Trust: 0.8
title:	Iridium Pilot	url:	http://iridium.com/products/Iridium-Pilot.aspx?productCategoryID=30	Trust: 0.8

sources: JVNDB: JVNDB-2014-003825

EXTERNAL IDS

db:	CERT/CC	id:	VU#578598	Trust: 4.1
db:	NVD	id:	CVE-2014-0326	Trust: 3.3
db:	BID	id:	69158	Trust: 1.5
db:	JVN	id:	JVNVU91970952	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-003825	Trust: 0.8
db:	CNVD	id:	CNVD-2014-05034	Trust: 0.6
db:	CNNVD	id:	CNNVD-201408-136	Trust: 0.6

sources: CERT/CC: VU#578598 // CNVD: CNVD-2014-05034 // BID: 69158 // JVNDB: JVNDB-2014-003825 // CNNVD: CNNVD-201408-136 // NVD: CVE-2014-0326

REFERENCES

url:	http://www.kb.cert.org/vuls/id/578598	Trust: 3.3
url:	http://iridium.com/products/iridium-pilot.aspx?productcategoryid=30	Trust: 1.1
url:	http://iridium.com/products/iridium-openport.aspx?productcategoryid=30	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0326	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu91970952/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0326	Trust: 0.8
url:	http://www.securityfocus.com/bid/69158	Trust: 0.6
url:	http://iridium.com/default.aspx	Trust: 0.3

sources: CERT/CC: VU#578598 // CNVD: CNVD-2014-05034 // BID: 69158 // JVNDB: JVNDB-2014-003825 // CNNVD: CNNVD-201408-136 // NVD: CVE-2014-0326

CREDITS

Cesar Cerrudo, and Ruben Santamarta

Trust: 0.9

sources: BID: 69158 // CNNVD: CNNVD-201408-136

SOURCES

db:	CERT/CC	id:	VU#578598
db:	CNVD	id:	CNVD-2014-05034
db:	BID	id:	69158
db:	JVNDB	id:	JVNDB-2014-003825
db:	CNNVD	id:	CNNVD-201408-136
db:	NVD	id:	CVE-2014-0326

LAST UPDATE DATE

2025-04-12T23:09:22.044000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#578598	date:	2014-09-12T00:00:00
db:	CNVD	id:	CNVD-2014-05034	date:	2014-08-15T00:00:00
db:	BID	id:	69158	date:	2014-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2014-003825	date:	2014-08-19T00:00:00
db:	CNNVD	id:	CNNVD-201408-136	date:	2014-08-18T00:00:00
db:	NVD	id:	CVE-2014-0326	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#578598	date:	2014-08-07T00:00:00
db:	CNVD	id:	CNVD-2014-05034	date:	2014-08-15T00:00:00
db:	BID	id:	69158	date:	2014-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2014-003825	date:	2014-08-19T00:00:00
db:	CNNVD	id:	CNNVD-201408-136	date:	2014-08-12T00:00:00
db:	NVD	id:	CVE-2014-0326	date:	2014-08-17T23:55:04.027