Ruben Santamarta

**Nome do software vulnerável e versões afetadas** Versões 1.14.2 e posteriores do Zephyr Versões 2.3.0 e posteriores do Zephyr **Descrição** O problema está relacionado a um SPI malformado na resposta para o eswifi, o que pode corromper a memória do kernel. É descrito como um estouro de buffer baseado em heap. **Recomendações** Para as versões 1.14.2 e posteriores do Zephyr, atualize para uma versão que contenha uma correção para o problema de estouro de buffer baseado em heap. Para as versões 2.3.0 e posteriores do Zephyr, atualize para uma versão que contenha uma correção para o problema de estouro de buffer baseado em heap. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Cobham Aviator versions 700D and 700E **Description** The issue concerns an improper algorithm used for PIN codes in the affected satellite terminals, making it easier for attackers to calculate the superuser code. This could allow attackers to obtain a privileged terminal session by leveraging physical access or terminal access to enter the calculated code. **Recommendations** For Cobham Aviator 700D, update the PIN code algorithm to prevent easy calculation of the superuser code. For Cobham Aviator 700E, update the PIN code algorithm to prevent easy calculation of the superuser code. As a temporary workaround, consider restricting physical and terminal access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Iridium satellite terminals (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary code by uploading new firmware to the TCP port 54321. This is related to the Terminal Upgrade Tool in the Pilot Below Deck Equipment (BDE) and OpenPort implementations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Iridium satellite terminals (affected versions not specified) **Description** The issue allows remote attackers to read hardcoded credentials via the web interface on the Pilot Below Deck Equipment (BDE) and OpenPort implementations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cobham Sailor 900 and 6000 satellite terminals with firmware 1.08 MFHF and 2.11 VHF **Description** The issue concerns hardcoded credentials for the administrator account in the affected satellite terminals. This allows attackers to gain administrative control by leveraging physical access or terminal access. **Recommendations** For Cobham Sailor 900 and 6000 satellite terminals with firmware 1.08 MFHF and 2.11 VHF, consider changing the hardcoded administrator credentials to unique, strong passwords as soon as possible to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cobham Sailor 6000 satellite terminals (affected versions not specified) **Description** The issue concerns hardcoded Tbus 2 credentials in Cobham Sailor 6000 satellite terminals. This allows remote attackers to obtain access via a TBUS2 command. The vendor has stated that there is no possibility to exploit another user's credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cobham SAILOR 900 VSAT SAILOR FleetBroadBand versions 150, 250, and 500 EXPLORER BGAN AVIATOR versions 200, 300, 350, and 700D **Description** The issue allows attackers to obtain administrative privileges by leveraging physical access or terminal access to spoof a reset code, due to improper restriction of password recovery. **Recommendations** For Cobham SAILOR 900 VSAT, restrict physical and terminal access to prevent spoofing of the reset code. For SAILOR FleetBroadband versions 150, 250, and 500, limit access to the device to minimize the risk of exploitation. For EXPLORER BGAN, consider implementing additional security measures to prevent unauthorized access. For AVIATOR versions 200, 300, 350, and 700D, restrict access to the device and its components to prevent administrative privilege escalation.

**Name of the Vulnerable Software and Affected Versions** Cobham devices (affected versions not specified) **Description** The issue concerns the thraneLINK protocol implementation, which fails to verify firmware signatures. This allows attackers to execute arbitrary code by leveraging physical access or terminal access to send an SNMP request and a TFTP response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GateHouse firmware (affected versions not specified) Harris BGAN RF-7800B-VU204 firmware (affected versions not specified) Harris BGAN RF-7800B-DU204 firmware (affected versions not specified) Hughes Network Systems 9201 firmware (affected versions not specified) Hughes Network Systems 9450 firmware (affected versions not specified) Hughes Network Systems 9502 firmware (affected versions not specified) Inmarsat firmware (affected versions not specified) Japan Radio JUE-250 firmware (affected versions not specified) Japan Radio JUE-500 firmware (affected versions not specified) Thuraya IP satellite terminals firmware (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary code via unspecified protocol operations on TCP port 1827, due to the lack of authentication for sessions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GateHouse (affected versions not specified) Harris BGAN RF-7800B-VU204 Harris BGAN RF-7800B-DU204 Hughes Network Systems 9201 Hughes Network Systems 9450 Hughes Network Systems 9502 Inmarsat (affected versions not specified) Japan Radio JUE-250 Japan Radio JUE-500 Thuraya IP satellite terminals (affected versions not specified) **Description** The issue concerns hardcoded credentials in the firmware of various satellite terminals, making it easier for attackers to gain unspecified login access. **Recommendations** For Harris BGAN RF-7800B-VU204, consider changing the hardcoded credentials to unique, secure credentials. For Harris BGAN RF-7800B-DU204, consider changing the hardcoded credentials to unique, secure credentials. For Hughes Network Systems 9201, consider changing the hardcoded credentials to unique, secure credentials. For Hughes Network Systems 9450, consider changing the hardcoded credentials to unique, secure credentials. For Hughes Network Systems 9502, consider changing the hardcoded credentials to unique, secure credentials. For Japan Radio JUE-250, consider changing the hardcoded credentials to unique, secure credentials. For Japan Radio JUE-500, consider changing the hardcoded credentials to unique, secure credentials. At the moment, there is no information about a newer version that contains a fix for GateHouse, Inmarsat, and Thuraya IP satellite terminals.

Name of the Vulnerable Software and Affected Versions: SafeNet SoftRemote versions prior to 10.8.6 Description: The issue is a stack-based buffer overflow in the IKE service, allowing remote attackers to execute arbitrary code via a long request to UDP port 62514. Recommendations: For versions prior to 10.8.6, update to version 10.8.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Novell NetIdentity Client versions prior to 1.2.4 **Description** The issue allows remote attackers to execute arbitrary code by establishing an IPC$ connection to the XTIERRPCPIPE named pipe and sending RPC messages that trigger a dereference of an arbitrary pointer. **Recommendations** For versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the XTIERRPCPIPE named pipe to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows XP versions SP2 through SP3 Microsoft Windows Server 2003 versions SP1 through SP2 **Description** The issue arises from improper validation of input sent from user mode to the kernel in the Ancillary Function Driver (AFD) component. This allows local users to gain privileges via a crafted application, potentially enabling an attacker to run code with elevated privileges and execute arbitrary code, thereby taking complete control of an affected system. The attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Microsoft Windows XP versions SP2 through SP3, update to a version that properly validates input passed from user mode to the kernel. For Microsoft Windows Server 2003 versions SP1 through SP2, update to a version that properly validates input passed from user mode to the kernel. As a temporary workaround, consider restricting access to the Ancillary Function Driver (afd.sys) to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: RealWin Server version 2.0 Description: A stack-based buffer overflow issue allows remote attackers to execute arbitrary code via a crafted FC INFOTAG/SET CONTROL packet. Recommendations: For RealWin Server version 2.0, consider applying a patch or fix to address the stack-based buffer overflow issue, if available. As a temporary workaround, restrict access to the FC INFOTAG/SET CONTROL packet handling functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions prior to the fixed version GEARAspiWDM.sys version 2.0.7.5 and earlier, as used in Apple iTunes before 8.0 and other products **Description** The issue is caused by an integer overflow in the IopfCompleteRequest API in the kernel, allowing context-dependent attackers to gain privileges. This can be exploited locally via repeated IoAttachDevice IOCTL calls to the `.GEARAspiWDMDevice` in the GEARAspiWDM.sys driver. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For Microsoft Windows, update to a version that includes the fix for the integer overflow in the IopfCompleteRequest API. For GEARAspiWDM.sys version 2.0.7.5 and earlier, consider disabling the `IoAttachDevice` IOCTL call to `.GEARAspiWDMDevice` until a patch is available. For Apple iTunes before 8.0, update to version 8.0 or later to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft PowerPoint Viewer 2003 **Description** The issue allows remote attackers to execute arbitrary code via a specially crafted PowerPoint file, potentially leading to memory corruption. This can be exploited by creating a malicious PowerPoint file that could be sent as an email attachment or hosted on a compromised website. If successfully exploited, an attacker could gain complete control of the affected system, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights. The impact may be less severe for users with limited user rights. **Recommendations** For Microsoft PowerPoint Viewer 2003, consider avoiding the use of specially crafted PowerPoint files until a fix is available. As a temporary workaround, restrict access to potentially malicious files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime versions prior to 7.4.5 **Description** The issue is related to a heap-based buffer overflow in the quickTime.qts component, which can be triggered by a crafted PICT image file with Kodak encoding. This is due to inadequate error checking and error messages. The estimated number of potentially affected devices and details about real-world incidents are not specified. **Recommendations** For versions prior to 7.4.5, update to version 7.4.5 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Apple QuickTime versions prior to 7.3 Description: The issue is related to a heap-based buffer overflow that occurs when parsing certain elements in a PICT image, specifically the Poly type and PackBitsRgn field opcodes. This can allow remote attackers to execute arbitrary code. Recommendations: For Apple QuickTime versions prior to 7.3, update to version 7.3 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Apple QuickTime versions prior to 7.3 Description: The issue is related to a heap-based buffer overflow that occurs when parsing the color table atom (CTAB) in a movie file. This happens due to an invalid color table size, specifically related to the CTAB RGB values, allowing remote attackers to execute arbitrary code. Recommendations: For versions prior to 7.3, update to version 7.3 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Apple QuickTime versions prior to 7.3 Description: The issue is a stack-based buffer overflow that allows remote attackers to execute arbitrary code. This is achieved by using an invalid UncompressedQuickTimeData opcode length in a PICT image. Recommendations: For versions prior to 7.3, update to version 7.3 or later to resolve the issue.