Nettitude Blog

Vulnerabilities in JETSELECT Superyacht software

Posted by Nettitude on Apr 16, 2020 4:26:10 PM

Nettitude has recently conducted a number of projects focused on Marine & Offshore (M&O) technologies.  The objective of one such M&O project was to find and exploit vulnerabilities in the software and hardware found on a superyacht.

During this project, Nettitude identified three vulnerabilities in a piece of software called JETSELECT, which is used to segment different parts of a superyacht network.  The vulnerabilities have been assigned CVE 2019-13021, CVE 2019-13022, and CVE 2019-13023.

These vulnerabilities allow a threat actor to take control of the JETSELECT product itself, and consequently gain the ability to amend the security configuration applied to the superyachts network.  The threat actor can modify the rules governing network traffic between different security zones, and gain access to high security networks, making it difficult for network defenders to detect the malicious activity.  The vulnerabilities also allow the threat actor to amend network configuration, denying access to critical systems that are connected to the controlled networks.

Vulnerabilities like these highlight the need for defense in depth.  Patching would not have helped in this situation, so defenders would need to ensure that it’s difficult for an attacker to remotely or physically reach the affected product in the first place.  There are now patches available for these vulnerabilities, although Nettitude have not verified their effectiveness.   

Full technical details can be found at the following Nettitude Labs blog.

For details on other M&O research conducted by Nettitude, please visit our R&I reports section

 

*We would like to note that JetStream, the developers of the JETSELECT software, worked closely with Nettitude to understand the vulnerability and produce a patch.  The disclosure timeline was as follows:

  • 15 May 2019 – Initial communications established with vendor.
  • 24 May 2019 – Technical details provided to allocated point of contact.
  • 28 May 2019 – Follow up email sent to ensure vendor received technical details.
  • 4 June 2019 – Vendor acknowledged receipt of technical details.
  • 18 July 2019 – Nettitude requests update.
  • 21 July 2019 – Vendor replies they have a patch nearly ready, that will be released in the coming weeks.
  • 24 July 2019 – Nettitude delay disclosure to allow further time for customers to patch their software.
  • 12 December 2019 – Nettitude give vendor of notice to publicly disclose.
  • 13 December 2019 – Vendor acknowledges.
  • 22 April 2020 – Nettitude publicly disclose vulnerabilities.

 

Topics: Cyber Security, Nettitude, News, Security Blog, Cyber Security Blog, Download Area

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

In 2018, Nettitude became part of Lloyd’s Register, an 8,000 person strong professional services organisation, with 300 years of heritage in safety and risk management. Nettitude now provides true global coverage, through a network of over 180 offices strategically placed around the globe.

Subscribe Here!

Recent Posts