Resources
>
Research
>
Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6199)

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6199)

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6199)
Quentin Kaiser
Quentin Kaiser
Lead Security Researcher
TablE of contents

READY TO UPGRADE YOUR RISK MANAGEMENT?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo

Introduction

As indicated in previous posts on the subject of automated binary zero-day analysis (Remote Command Execution in Cisco Access Point WAP Products, Spotting Silent Patches in OSS, Remote Code Execution in Delta Electronics DVW Devices, Arbitrary Command Execution on TP-Link Archer C5400X), we tested this feature on our firmware corpus and reported vulnerabilities to affected vendors, creating the base of most of our 2024 advisories.

This one is a bit different, since it was identified by one of our customers the day they opted-in for binary static analysis. Enabling the feature is easy as going to "Analysis Configuration" and checking the "Enable binary zero-day analysis" checkbox.

They already had uploaded Viasat firmwares to the platform, and when the daily monitoring run results came back, a few stack buffer overflows were identified in different binaries.

Remote Command Execution

Affected
vendor &
product
Viasat RM5110, RM5111, RG1100, EG1000, and EG1020 modems
Vendor
Advisory
N/A
Vulnerable
version
<= 4.3.0.2
Fixed version 4.3.0.3
CVE IDs CVE-2024-6199
Impact
(CVSS)
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/RE:M/U:Red
(7.7 - High)
Credit Q. Kaiser, ONEKEY Research Lab

Summary

An unauthenticated attacker on the WAN interface, with the ability to intercept Dynamic DNS (DDNS) traffic between DDNS services and the modem, could manipulate specific responses to include code that forces a buffer overflow on the modem.

Impact

Remote unauthenticated attacker on the WAN interface with the ability to intercept traffic can gain remote code execution on the device by intercepting and modifying HTTP responses returned by remote endpoints (dyndns, tzo) contacted by the binary.

Customers that have not enabled Dynamic DNS on their modem are not vulnerable.

Description

The

ddns_success
ddns_success binary expects the following commands:

ddns_success -d -t [tzo|tzo-echo|dyndns] -n public_ip -T timeout

The -t parameter indicates which method should be used to obtain the public IP. The following commands are executed by the binary depending on the type parameter:


The dyndns implementation differs a bit since the response is different, but the same vulnerable call to sscanf is observed:


By intercepting HTTP communication between the Viasat terminal and either

echo.tzo.com
echo.tzo.com or
checkip.dyndns.org
checkip.dyndns.org, a remote unauthenticated attacker could return an HTTP response that contains more bytes than the
public_ip
public_ip buffer can hold, leading to a stack buffer overflow.

By taking control of the program register through the overflow, an attacker can redirect the execution flow and execute arbitrary code. ROP chaining won't even be needed since the binary is lacking basic hardening such as non-executable stack.

The binary is missing hardening flags like NX, PIE, RELRO, and Stack Canary.

One interesting bit of information about this ddns_success binary is that Viasat did not have access to the source code as it was provided as-is by a third party supplier. This clearly demonstrate that, sometimes, shifting right is necessary and doing static code analysis at the firmware level is the only way to uncover bugs in binaries you usually have no visibility into.

Recommendation

Make sure your devices are online so they can receive the automated update from Viasat. Make sure your device received the update by getting the running version using the administrative interface.

Key Takeaways

  • A critical unauthenticated RCE vulnerability was uncovered in widely deployed satellite modems using ONEKEY’s automated firmware analysis.
  • The flaw demonstrates the systemic risks of opaque firmware in devices used across sensitive infrastructures.
  • Proactive firmware inspection is essential for both OEMs and integrators to identify and remediate latent threats.
  • Transparency and visibility into embedded software are foundational to securing modern connected environments.

Timeline

The coordinated vulnerability disclosure process was easy to navigate even if it was a first for Viasat. They were responsive and open in their communications, indicating what their engineering team was doing and what was happening on the field. Deploying over-the-air updates to different products running in heterogeneous environment is no easy feat, that's why we agreed to a disclosure deadline extension.

During that extension, Viasat kept us up to date on the ratio of patched devices in the field.

The full timeline follows:

  • 15/05/2024 - coordinated disclosure request sent to Viasat
  • 15/05/2024 - answer from Viasat
  • 27/05/2024 - report is sent to Viasat
  • 29/05/2024 - sync meeting to discuss findings with Viasat
  • 18/06/2024 - sync meeting, requesting an extension to the 90-days disclosure deadline. ONEKEY agrees to follow the whole process.
  • 07/01/2025 - sync meeting
  • 29/01/2025 - sync meeting, expect fixes deployed by 28/02/2025
  • 26/02/2025 - sync meeting, requests disclosure for both CVEs on 28/03/2025
  • 12/03/2025 - sync meeting, 28/03/2025 deadline won't be met, asking for an extension
  • 02/04/2025 - sync meeting, new disclosure date set to 25/04/2025
  • 23/04/2025 - sync meeting
  • 25/05/2025 - coordinated public disclosure

Share

About Onekey

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann

Senior Marketing Manager
sara.fortmann@onekey.com

euromarcom public relations GmbH
team@euromarcom.de

RELATED RESEARCH ARTICLES

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6198)
Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers

Ready to automate your Product Cybersecurity & Compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.