A critical security flaw (CVE-2024-6198) in widely deployed Viasat satellite modems allows unauthenticated attackers to execute arbitrary code on affected devices via a stack buffer overflow in the “SNORE” web interface. 

The vulnerability, rated 7.7 (High) on the CVSS v4 scale, impacts multiple modem models, including RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020. 

Discovered through automated firmware analysis by ONEKEY Research Lab, the flaw highlights systemic risks in opaque embedded software underpinning critical infrastructure.

Critical Vulnerability in Modem SNORE Interface

The modems expose a lightweight web service (lighttpd) on TCP ports 3030 and 9882 to handle administrative functions via the SNORE interface.

At the core of the flaw is the index.cgi binary located at /usr/local/SNORE, which improperly parses HTTP request paths. 

When processing GET, POST, or DELETE requests, the CGI script uses an unsafe sscanf call to extract parameters from the REQUEST_URI environment variable without validating input length.

An attacker can trigger a stack buffer overflow by sending a malicious URI like http://192.168.100.1:9882/snore/blackboxes/AAAAAAAA…[512 bytes]. 

This overflows a fixed-size path buffer, overwriting critical stack frames and hijacking the program counter register. 

Despite non-executable stack protections, attackers bypass mitigations via return-oriented programming (ROP) chains, reusing code snippets from the binary itself to achieve arbitrary command execution.

With a CVSS:4.0 vector of AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, the vulnerability permits lateral network attacks by authenticated or unauthenticated LAN users. 

Successful exploitation grants full control over modem operations, potentially enabling traffic interception, credential harvesting, or deployment of persistent malware in environments reliant on satellite communications.

Affected Firmware and Patches

The vulnerability affects:

• RM4100/RM4200/EM4100 modems running firmware versions below 3.8.0.4
• RM5110/RM5111/RG1000/RG1100/EG1000/EG1020 modems with firmware ≤4.3.0.1.

Viasat addressed the flaw in:

• Version 3.8.0.4 for RM4100-series devices.
• Version 4.3.0.2 for RM5110-series and later models. 

The company has deployed over-the-air (OTA) updates, but users must ensure devices are online to receive patches and verify installation via administrative interfaces.

Organizations using affected modems should:

• Immediately isolate devices from untrusted networks pending updates.
• Audit logs for unusual HTTP requests to ports 3030/9882.
• Implement network segmentation to restrict access to SNORE interfaces.

With satellite modems increasingly deployed in energy, maritime, and military networks, CVE-2024-6198 serves as a reminder for stringent firmware vetting and real-time vulnerability monitoring in supply chains. 

As attackers refine ROP techniques against IoT targets, vendors must prioritize exploit mitigations like stack canaries and Control-Flow Integrity (CFI) alongside patch distribution mechanisms.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.