Navarino delivers Infinity hotfix to an estimated 6,000 vessels.

Navarino Telecom has issued a hotfix to its network of maritime bandwidth optimization devices, after a security researcher discovered a vulnerability that could lead to a “total compromise” of a ship’s VSAT system.

Greece-based Navarino is one of the world’s largest distributors of Inmarsat maritime communication services.

In addition to delivering high-speed satellite broadband to vessels around the world, the company also designs and distributes Infinity – a suite of onboard bandwidth management and optimization solutions.

An investigation into a maritime company running the Infinity Standard platform across its small fleet led independent security researcher Vangelis Stykas to discover a total of three vulnerabilities in Navarino’s flagship solution – two of which were deemed to be critical.

“I found that the vessels were connected to the internet using Infinity, which is exposing a web interface,” Stykas said. “The web interface was not available directly as the root was returning a 404.

“I downloaded Infinity’s Android app and found out that it was connecting to an internal URL. When this URL was added as the HTTP host header, I was presented with Infinity’s login screen over the internet.”

Stykas found that Infinity was exposing an unauthenticated script that was prone to blind SQL injection.

“If successfully exploited, the user could get information from the underlying PostgreSQL database that could lead to a total compromise of the product,” the researcher stated.

In addition to the blind SQL injection flaw, Stykas found that all Infinity products were prone to a session fixation attack.

“This could lead to phishing attacks that could bypass the two-factor authentication that is present in some installations,” he said.

“Furthermore, this can be chained with the first vulnerability and have the attacker login as any user with no phishing required.”

Finally, Stykas also found improper handling of authentication in Infinity. “There are certain functions that when placed in the URL bypass any authentication mechanism in place,” he explained. “This could lead to information leaking.”

Speaking to The Daily Swig following the publication of his vulnerability report, Stykas said: “These vulnerabilities could lead to the full compromise of the VSAT system, as the user could login even as an administrator user of the system and change critical system configuration.

“It could give access to the network or cut its internet access. And if the product was Infinity Cube or Infinity Plus, it could compromise any VMS that were managed by Infinity.”

In his postmortem, Stykas praised Navarino for reacting quickly to his findings and pushing out a hotfix to an estimated 6,000 vessels.

“Navarino had an excellent response,” he said. “They fixed everything and pushed a hotfix in less that 30 days. I really wish that all VSAT providers were like them.”

A full technical write-up from Stykas can be found here.