CVE-2018-16591 in FELCOM 250
Summary
by MITRE
FURUNO FELCOM 250 and 500 devices allow unauthenticated users to change the password for the Admin, Log and Service accounts, as well as the password for the protected "SMS" panel via /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2020
The vulnerability identified as CVE-2018-16591 affects FURUNO FELCOM 250 and 500 communication devices, representing a critical security flaw in industrial networking equipment. These devices are commonly deployed in maritime and industrial environments where secure communication is paramount for operational continuity and safety. The vulnerability stems from improper authentication mechanisms within the web-based administrative interfaces of these devices, specifically exposing sensitive password change functionality to unauthorized users without requiring any form of authentication credentials.
The technical flaw manifests through the exposure of two vulnerable CGI scripts: /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi. These scripts are designed to handle password modification requests for multiple administrative accounts including Admin, Log, and Service accounts, as well as the protected SMS panel functionality. The absence of authentication checks means that any remote attacker can exploit these endpoints to modify critical account passwords without prior authorization. This weakness directly violates the principle of least privilege and authentication requirements that should be enforced for administrative functions within networked devices.
The operational impact of this vulnerability is severe and multifaceted across industrial and maritime communication environments. An attacker who exploits this vulnerability gains unauthorized access to administrative accounts, potentially leading to complete system compromise, data exfiltration, service disruption, and operational interference. The ability to change passwords for service accounts particularly undermines the device's security posture as these accounts often have elevated privileges and access to critical system functions. The exposure of the SMS panel password change functionality is especially concerning as SMS capabilities in industrial devices often provide emergency communication channels and remote access features that could be weaponized for malicious purposes.
From a cybersecurity perspective, this vulnerability aligns with CWE-287, which addresses improper authentication issues in software systems, and represents a clear violation of the NIST Cybersecurity Framework's Identify and Protect functions. The ATT&CK framework categorizes this as a privilege escalation technique through credential access, specifically mapping to T1078 for valid accounts and T1566 for credential harvesting. Organizations implementing these devices face significant risk exposure, particularly in environments where these devices are not properly segmented or monitored for unauthorized access attempts. The vulnerability's impact extends beyond immediate system compromise to potential cascading effects on connected systems and operational technology networks.
Mitigation strategies should include immediate firmware updates from FURUNO to address the authentication bypass vulnerability, network segmentation to isolate these devices from critical operational networks, and implementation of robust monitoring for unauthorized access attempts. Additionally, organizations should conduct comprehensive vulnerability assessments of their industrial control systems to identify similar authentication bypass vulnerabilities in other networked devices. The remediation process must include changing all default passwords, implementing strong authentication mechanisms, and establishing continuous monitoring protocols to detect and respond to unauthorized access attempts. Regular security audits and penetration testing should be conducted to ensure that similar vulnerabilities are not present in other components of the operational technology infrastructure.