Nettitude has recently conducted a number of projects focused on Marine & Offshore (M&O) technologies. The objective of one such M&O project was to find and exploit vulnerabilities in the software and hardware found on a superyacht.
During this project, Nettitude identified three vulnerabilities in a piece of software called JETSELECT, which is used to segment different parts of a superyacht network. The vulnerabilities have been assigned CVE 2019-13021, CVE 2019-13022, and CVE 2019-13023.
These vulnerabilities allow a threat actor to take control of the JETSELECT product itself, and consequently gain the ability to amend the security configuration applied to the superyachts network. The threat actor can modify the rules governing network traffic between different security zones, and gain access to high security networks, making it difficult for network defenders to detect the malicious activity. The vulnerabilities also allow the threat actor to amend network configuration, denying access to critical systems that are connected to the controlled networks.
Vulnerabilities like these highlight the need for defense in depth. Patching would not have helped in this situation, so defenders would need to ensure that it’s difficult for an attacker to remotely or physically reach the affected product in the first place. There are now patches available for these vulnerabilities, although Nettitude have not verified their effectiveness.
Full technical details can be found at the following Nettitude Labs blog.
For details on other M&O research conducted by Nettitude, please visit our R&I reports section
*We would like to note that JetStream, the developers of the JETSELECT software, worked closely with Nettitude to understand the vulnerability and produce a patch. The disclosure timeline was as follows:
- 15 May 2019 – Initial communications established with vendor.
- 24 May 2019 – Technical details provided to allocated point of contact.
- 28 May 2019 – Follow up email sent to ensure vendor received technical details.
- 4 June 2019 – Vendor acknowledged receipt of technical details.
- 18 July 2019 – Nettitude requests update.
- 21 July 2019 – Vendor replies they have a patch nearly ready, that will be released in the coming weeks.
- 24 July 2019 – Nettitude delay disclosure to allow further time for customers to patch their software.
- 12 December 2019 – Nettitude give vendor of notice to publicly disclose.
- 13 December 2019 – Vendor acknowledges.
- 22 April 2020 – Nettitude publicly disclose vulnerabilities.