Resources
>
Research
>
Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6198)

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6198)

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6198)
Quentin Kaiser
Quentin Kaiser
Lead Security Researcher
April 25, 2025
5
 min read
TablE of contents
Introduction
SNORE STACK BUFFER OVERFLOW
Key Takeaways
Timeline

READY TO UPGRADE YOUR RISK MANAGEMENT?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo

Introduction

As indicated in previous posts on the subject of automated binary zero-day analysis (Remote Command Execution in Cisco WAP, Spotting Silent Patches in OSS, Remote Code Execution in Delta Electronics DVW Devices, Arbitrary Command Execution on TP-Link Archer C5400X), we tested this feature on our firmware corpus and reported vulnerabilities to affected vendors, creating the base of most of our advisories on the subject for 2024.

This one is a bit different, since it was identified by one of our customers the day they opted-in for binary static analysis.

Enabling the feature is easy as going to "Analysis Configuration" and checking the "Enable binary zero-day analysis" checkbox.

They already had uploaded Viasat firmware to the platform, and when the daily monitoring run results came back, a few stack buffer overflows were identified in different binaries.

In this blog post, we cover the most important one affecting "SNORE", a web interface accessible over LAN and OTA interface.

SNORE STACK BUFFER OVERFLOW

Affected
vendor &
product		 Viasat RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020 modems.
Vendor
Advisory		 N/A
Vulnerable
version
  • firmware version <3.8.0.4 for RM4100, RM4200, EM4100
  • firmware version <= 4.3.0.1 for RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020
Fixed version
  • firmware version 3.8.0.4+ for RM4100, RM4200, EM4100
  • firmware version 4.3.0.2+ for RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020
CVE IDs CVE-2024-6198
Impact
(CVSS)		 CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/RE:M/U:Red
(7.7-High)
Credit Q. Kaiser, ONEKEY Research Lab

Summary

The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the “SNORE” interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing.

Impact

An attacker with access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the modem.

Description

The device exposes a web interface on ports TCP/3030 and TCP/9882. This web interface runs lighttpd, which implements what’s called the “SNORE” interface.

Excerpts of the lighttpd configuration defining “SNORE” endpoints is presented below:

Within the

index.cgi
index.cgi CGI binary located under
/usr/local/SNORE
/usr/local/SNORE , the request method and request URI are obtained through environment variables
REQUEST_METHOD
REQUEST_METHOD , and
REQUEST_URI
REQUEST_URI , respectively. This is expected behavior from CGI binaries. Then, if the HTTP request verb is GET, POST, or DELETE, two variables are extracted from the URI using an unsafe call to sscanf:


By sending a request such as

http://192.168.100.1:9882/snore/blackboxes/AAAAAAAA[512 times]AAAAAA
http://192.168.100.1:9882/snore/blackboxes/AAAAAAAA[512 times]AAAAAA, the
path
path buffer will be overflown and control of registers can be obtained.

By taking control of the program register, an unauthenticated attacker could take control of the execution flow and execute arbitrary code on the system. The only binary hardening in place for the CGI binary is the non executable stack, which is insufficient to block exploitation since we can simply reuse blocks of code already present in the binary using a return-oriented programming approach (ROP chaining).

Recommendation

Make sure your devices are online so they can receive the automated update from Viasat. Make sure your device received the update by getting the running version using the administrative interface.

Key Takeaways

  • A critical unauthenticated RCE vulnerability was uncovered in widely deployed satellite modems using ONEKEY’s automated firmware analysis.
  • The flaw demonstrates the systemic risks of opaque firmware in devices used across sensitive infrastructures.
  • Proactive firmware inspection is essential for both OEMs and integrators to identify and remediate latent threats.
  • Transparency and visibility into embedded software are foundational to securing modern connected environments.

Timeline

The coordinated vulnerability disclosure process was easy to navigate even if it was a first for Viasat. They were responsive and open in their communications, indicating what their engineering team was doing and what was happening on the field. Deploying over-the-air updates to different products running in heterogeneous environment is no easy feat, that's why we agreed to a disclosure deadline extension.

During that extension, Viasat kept us up to date on the ratio of patched devices in the field.

The full timeline follows:

  • 15/05/2024 - coordinated disclosure request sent to Viasat
  • 15/05/2024 - answer from Viasat
  • 27/05/2024 - report is sent by ONEKEY to Viasat
  • 29/05/2024 - sync meeting to discuss findings with Viasat
  • 18/06/2024 - sync meeting, requesting an extension to the 90-days disclosure deadline. ONEKEY agrees.
  • 07/01/2025 - sync meeting
  • 29/01/2025 - sync meeting, expect fixes deployed by 28/02/2025
  • 26/02/2025 - sync meeting, requests disclosure for both CVEs on 28/03/2025
  • 12/03/2025 - sync meeting, 28/03/2025 deadline won't be met, asking for an extension
  • 02/04/2025 - sync meeting, new disclosure date set to 25/04/2025
  • 23/04/2025 - sync meeting
  • 25/05/2025 - coordinated public disclosure
Share

About Onekey

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com

euromarcom public relations GmbH
team@euromarcom.de

RELATED RESEARCH ARTICLES

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6199)
Research
Apr 25, 2025
5
 min read

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6199)

Explore ONEKEY Research Lab's security advisory detailing a critical vulnerability in Viasat modems. Learn about the risks and recommended actions.

Read More
Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Research
Dec 5, 2024
10
 min read

Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones

Explore the latest developments in Unblob, including enhanced sandboxing with Landlock, improved carving reporting, and χ² randomness analysis. Celebrate community contributions, academic research collaborations, and new format handlers, while looking forward to exciting updates in 2025.

Read More
Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers
Research
Nov 26, 2024
20
 min read

Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers

Discover how severe security flaws, including unauthenticated remote command execution (CVE-2024-11665 & CVE-2024-11666), affect eCharge EV charging controllers. Learn about insecure firmware practices, cloud infrastructure issues, and actionable steps to mitigate risks in EV charging systems.

Read More

Ready to automate your Product Cybersecurity & Compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo