CVE-2018-16705 in FELCOM 250
Summary
by MITRE
FURUNO FELCOM 250 and 500 devices allow unauthenticated access to the xml/permission.xml file containing all of the system's usernames and passwords. This includes the Admin and Service user accounts and their unsalted MD5 hashes, as well as the SMS server password in cleartext.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2020
The vulnerability CVE-2018-16705 affects FURUNO FELCOM 250 and 500 maritime communication devices, representing a critical security flaw that exposes sensitive authentication credentials without requiring any authentication. This weakness falls under the category of insecure direct object reference as defined by CWE-22, where the system provides access to internal objects such as configuration files without proper access controls. The vulnerability specifically targets the xml/permission.xml file which serves as a central repository for all user credentials, making it a prime target for attackers seeking unauthorized system access. The exposed information includes administrative and service user accounts along with their associated password hashes, creating a significant risk for system compromise.
The technical implementation of this vulnerability stems from improper access control mechanisms within the FURUNO device firmware, where the xml/permission.xml file is accessible through unauthenticated HTTP requests. The system stores password hashes using MD5 algorithm without salting, which makes them vulnerable to rainbow table attacks and offline brute force attempts. Additionally, the SMS server password is stored in cleartext format, further exacerbating the security implications. This configuration directly violates security best practices outlined in NIST SP 800-63B and OWASP Top Ten 2017, particularly concerning credential storage and access control. The weakness allows attackers to obtain system-wide authentication information with minimal effort, as no prior authentication is required to access the sensitive file.
The operational impact of this vulnerability extends beyond simple credential theft, as it provides attackers with comprehensive access to the maritime communication system's administrative functions. With access to admin and service user credentials, attackers can modify system configurations, disable security features, and potentially gain complete control over the communication infrastructure. The cleartext SMS server password exposes the system to additional attack vectors including SMS-based command and control channels. This vulnerability aligns with ATT&CK technique T1078.004 for valid accounts and T1566 for credential access, as it enables adversaries to leverage legitimate credentials for unauthorized access. The exposure of these credentials creates a persistent threat vector that can be exploited for extended periods without detection, particularly in maritime environments where communication systems are critical for safety and operational continuity.
Organizations should implement immediate mitigations including network segmentation to isolate these devices from general network access, implementing firewall rules to block access to the xml/permission.xml endpoint, and applying firmware updates from FURUNO when available. The system configuration should enforce authentication requirements for all administrative endpoints and implement proper access controls using the principle of least privilege. Security monitoring should include detection of unauthorized access attempts to sensitive configuration files, and regular credential rotation should be enforced for all accounts. The vulnerability demonstrates the importance of secure configuration management and proper input validation, as outlined in CWE-22 and CWE-798, where hardcoded credentials and insufficient access controls create exploitable conditions. Organizations should also consider implementing network intrusion detection systems to monitor for access patterns consistent with this specific vulnerability, as the predictable file path and exposed credentials make detection relatively straightforward for determined attackers.