CVE-2018-19392 – CVE-2018-19392 is an unauthenticated password r... (How to Fix)

Q: What is the severity of CVE-2018-19392?

CVE-2018-19392 has a CVSS score of 9.8 (CRITICAL). CVE-2018-19392 is an unauthenticated password reset vulnerability in Cobham Satcom Sailor satellite communication devices. Attackers can reset any user's password (including admin) without authentication by sending specially crafted requests to the web interface. This affects organizations using vulnerable Sailor 250 and 500 devices for maritime communications.

📋 TL;DR

CVE-2018-19392 is an unauthenticated password reset vulnerability in Cobham Satcom Sailor satellite communication devices. Attackers can reset any user's password (including admin) without authentication by sending specially crafted requests to the web interface. This affects organizations using vulnerable Sailor 250 and 500 devices for maritime communications.

💻 Affected Systems

Products:

Cobham Satcom Sailor 250
Cobham Satcom Sailor 500

Versions: All versions before 1.25

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices are typically deployed in maritime environments on vessels, with web interfaces accessible for configuration.

📦 What is this software?

Satcom Sailor 250 Firmware by Cobham

View all CVEs affecting Satcom Sailor 250 Firmware →

Satcom Sailor 500 Firmware by Cobham

View all CVEs affecting Satcom Sailor 500 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of satellite communication systems, allowing attackers to intercept/modify communications, disable critical maritime communications, or use devices as entry points to connected networks.

🟠

Likely Case

Unauthorized administrative access to satellite terminals, enabling configuration changes, service disruption, or credential harvesting from connected systems.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and access controls, though the vulnerability remains exploitable by anyone with network access.

🌐 Internet-Facing: HIGH - Devices are often deployed on vessels with internet-facing interfaces for remote management, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Even internally, any user with network access to the device could exploit this vulnerability to gain administrative privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to specific endpoints with crafted parameters. Public proof-of-concept code demonstrates the attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.25 and later

Vendor Advisory: https://www.cobham.com/satcom/

Restart Required: Yes

Instructions:

1. Download firmware version 1.25 or later from Cobham Satcom support portal. 2. Access device web interface. 3. Navigate to Administration > Software Update. 4. Upload and apply the new firmware. 5. Reboot device after update completes.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to device management interfaces using firewall rules

Disable Remote Management

all

Disable web interface access from external networks if not required

🧯 If You Can't Patch

Isolate devices in dedicated network segments with strict firewall rules allowing only necessary traffic
Implement network monitoring for suspicious HTTP requests to /index.lua with password reset parameters

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface: Login > Administration > System Information. If version is below 1.25, device is vulnerable.

Check Version:

No CLI command - check via web interface at /index.lua?pageID=SystemInformation

Verify Fix Applied:

After updating, verify firmware version shows 1.25 or higher in System Information. Test that password reset requires current password.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /index.lua with pageID=Administration and passwordAdmChange parameters
Multiple failed login attempts followed by successful password reset

Network Indicators:

HTTP POST requests to device IP with password reset parameters without authentication
Unusual administrative activity from non-standard IP addresses

SIEM Query:

sourceIP="device_IP" AND (url="*index.lua*pageID=Administration*" OR url="*passwordAdmChange*")

📊 Metadata

CVE ID: CVE-2018-19392

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 15, 2019

Last Updated: November 21, 2024

🔗 References

https://cyberskr.com/blog/cobham-satcom-250-500.html Exploit,Third Party Advisory
https://gist.github.com/CyberSKR/2dfd5dccb20a209ec4d35b2678bac0d4 Third Party Advisory
https://cyberskr.com/blog/cobham-satcom-250-500.html Exploit,Third Party Advisory
https://gist.github.com/CyberSKR/2dfd5dccb20a209ec4d35b2678bac0d4 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-19392, you might also want to check these: