CVE-2018-16590 – FURUNO FELCOM 250 and 500 satellite communicati... (How to Fix)

Q: What is the severity of CVE-2018-16590?

CVE-2018-16590 has a CVSS score of 9.8 (CRITICAL). FURUNO FELCOM 250 and 500 satellite communication devices rely solely on client-side JavaScript for authentication, allowing attackers to bypass login entirely. This affects all users of these devices who haven't implemented additional security controls. The vulnerability enables complete system compromise without valid credentials.

📋 TL;DR

FURUNO FELCOM 250 and 500 satellite communication devices rely solely on client-side JavaScript for authentication, allowing attackers to bypass login entirely. This affects all users of these devices who haven't implemented additional security controls. The vulnerability enables complete system compromise without valid credentials.

💻 Affected Systems

Products:

FURUNO FELCOM 250
FURUNO FELCOM 500

Versions: All versions prior to any vendor patch

Operating Systems: Embedded system

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable as authentication is handled entirely client-side in login.js

📦 What is this software?

Felcom 250 Firmware by Furuno

View all CVEs affecting Felcom 250 Firmware →

Felcom 500 Firmware by Furuno

View all CVEs affecting Felcom 500 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to intercept/modify communications, disable safety systems, or use the device as an attack vector into connected networks.

🟠

Likely Case

Unauthorized access to device configuration, communication logs, and ability to disrupt satellite communications.

🟢

If Mitigated

Limited impact if network segmentation and additional authentication layers are implemented.

🌐 Internet-Facing: HIGH - These devices are typically internet-facing satellite terminals with direct exposure.

🏢 Internal Only: MEDIUM - If placed behind firewalls but still vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only disabling JavaScript or modifying client-side code - no special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No known vendor advisory

Restart Required: No

Instructions:

No official patch available. Contact FURUNO support for guidance.

🔧 Temporary Workarounds

Implement Reverse Proxy with Authentication

linux

Place device behind a reverse proxy that enforces proper server-side authentication

# Example nginx config with basic auth
location / {
    proxy_pass http://felcom-device:80;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Network Segmentation

all

Isolate FELCOM devices in separate VLAN with strict firewall rules

# Example iptables rule to restrict access
# iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement network-level authentication via firewall rules or VPN access only
Monitor device access logs for unauthorized authentication attempts

🔍 How to Verify

Check if Vulnerable:

Access device web interface, disable JavaScript in browser, and attempt to access protected pages without credentials

Check Version:

Check device web interface or serial console for firmware version

Verify Fix Applied:

Attempt authentication bypass with JavaScript disabled - should be blocked by server-side controls

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access
Access from unexpected IP addresses
Multiple rapid login attempts

Network Indicators:

HTTP traffic to device without proper authentication headers
Direct device access from unauthorized networks

SIEM Query:

source="felcom-device" AND (event="login" AND result="success" WITHOUT prior event="auth_failed")

📊 Metadata

CVE ID: CVE-2018-16590

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: September 6, 2018

Last Updated: November 21, 2024

🔗 References

https://cyberskr.com/blog/furuno-felcom.html Exploit,Technical Description,Third Party Advisory
https://gist.github.com/CyberSKR/34a8d6be7646a4bfd4df455f9f52500f Third Party Advisory
https://cyberskr.com/blog/furuno-felcom.html Exploit,Technical Description,Third Party Advisory
https://gist.github.com/CyberSKR/34a8d6be7646a4bfd4df455f9f52500f Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16590, you might also want to check these: