複数の Hughes Satellite Modem に複数の脆弱性
| Title |
複数の Hughes Satellite Modem に複数の脆弱性
|
| Summary |
Hughes Network Systems, LLC が提供する複数のブロードバンド衛星モデムには、次の複数の脆弱性が存在します。 * 不適切な入力値検証 (CWE-20) - CVE-2016-9494 * 認証情報がハードコードされている問題 (CWE-798) - CVE-2016-9495 * 重要な機能に対する認証欠如の問題 (CWE-306) - CVE-2016-9496 * 別のチャネルやパスを介した認証回避 (CWE-288) - CVE-2016-9497
|
| Possible impacts |
遠隔の第三者によって、当該機器に対するサービス運用妨害 (DoS) 攻撃が行われたり、当該機器を再起動させられたり、当該機器上で任意のコマンドを実行されたりする可能性があります。 |
| Solution |
[ファームウエアをアップデートし、適切な設定を行う] ファームウェアバージョン 6.9.0.34 以上を適用したうえで適切な設定を行ってください。 開発者は次のように述べています。 "The Hughes system has the ability to configure the modem which will prevent access and exploitation of the listed potential vulnerabilities. Hughes has provided service providers with documentation on the parameters and current software versions required to address these potential vulnerabilities. Customers should contact their service provider to ensure the locked down configuration is pushed to their devices." |
| Publication Date |
March 16, 2016, midnight |
| Registration Date |
May 17, 2017, 5:40 p.m. |
| Last Update |
May 17, 2017, 5:40 p.m. |
Affected System
| Hughes Network Systems |
|
DW7000
|
|
HN7000S/SM
|
|
HN7740S
|
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
その他
Change Log
| No |
Changed Details |
Date of change |
| 0 |
[2017年05月17日]
掲載 |
Feb. 17, 2018, 10:37 a.m. |
| 1 |
[2019年07月05日]
参考情報:National Vulnerability Database (NVD) (CVE-2016-9494) を追加
参考情報:National Vulnerability Database (NVD) (CVE-2016-9495) を追加
参考情報:National Vulnerability Database (NVD) (CVE-2016-9496) を追加
参考情報:National Vulnerability Database (NVD) (CVE-2016-9497) を追加 |
July 5, 2019, 10:29 a.m. |
NVD Vulnerability Information
CVE-2016-9494
| Summary |
Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, are potentially vulnerable to improper input validation. The device's advanced status web page that is linked to from the basic status web page does not appear to properly parse malformed GET requests. This may lead to a denial of service.
|
| Publication Date |
July 14, 2018, 5:29 a.m. |
| Registration Date |
Jan. 26, 2021, 2:20 p.m. |
| Last Update |
Nov. 21, 2024, 12:01 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7740s_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7740s:-:*:*:*:*:*:*:* |
| Configuration2 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:dw7000_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:dw7000:-:*:*:*:*:*:*:* |
| Configuration3 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7000s_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7000s:-:*:*:*:*:*:*:* |
| Configuration4 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7000sm_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7000sm:-:*:*:*:*:*:*:* |
Related information, measures and tools
Common Vulnerabilities List
CVE-2016-9495
| Summary |
Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, uses hard coded credentials. Access to the device's default telnet port (23) can be obtained through using one of a few default credentials shared among all devices.
|
| Publication Date |
July 14, 2018, 5:29 a.m. |
| Registration Date |
Jan. 26, 2021, 2:20 p.m. |
| Last Update |
Nov. 21, 2024, 12:01 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7740s_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7740s:-:*:*:*:*:*:*:* |
| Configuration2 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:dw7000_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:dw7000:-:*:*:*:*:*:*:* |
| Configuration3 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7000s_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7000s:-:*:*:*:*:*:*:* |
| Configuration4 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7000sm_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7000sm:-:*:*:*:*:*:*:* |
Related information, measures and tools
Common Vulnerabilities List
CVE-2016-9496
| Summary |
Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, lacks authentication. An unauthenticated user may send an HTTP GET request to http://[ip]/com/gatewayreset or http://[ip]/cgi/reboot.bin to cause the modem to reboot.
|
| Publication Date |
July 14, 2018, 5:29 a.m. |
| Registration Date |
Jan. 26, 2021, 2:20 p.m. |
| Last Update |
Nov. 21, 2024, 12:01 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7740s_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7740s:-:*:*:*:*:*:*:* |
| Configuration2 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:dw7000_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:dw7000:-:*:*:*:*:*:*:* |
| Configuration3 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7000s_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7000s:-:*:*:*:*:*:*:* |
| Configuration4 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7000sm_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7000sm:-:*:*:*:*:*:*:* |
Related information, measures and tools
Common Vulnerabilities List
CVE-2016-9497
| Summary |
Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, is vulnerable to an authentication bypass using an alternate path or channel. By default, port 1953 is accessible via telnet and does not require authentication. An unauthenticated remote user can access many administrative commands via this interface, including rebooting the modem.
|
| Publication Date |
July 14, 2018, 5:29 a.m. |
| Registration Date |
Jan. 26, 2021, 2:20 p.m. |
| Last Update |
Nov. 21, 2024, 12:01 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7740s_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7740s:-:*:*:*:*:*:*:* |
| Configuration2 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:dw7000_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:dw7000:-:*:*:*:*:*:*:* |
| Configuration3 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7000s_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7000s:-:*:*:*:*:*:*:* |
| Configuration4 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:hughes:hn7000sm_firmware:6.9.0.34:*:*:*:*:*:*:* |
|
|
|
|
| execution environment |
| 1 |
cpe:2.3:h:hughes:hn7000sm:-:*:*:*:*:*:*:* |
Related information, measures and tools
Common Vulnerabilities List