High-Risk flaws affect the NOAA Satellite System JPSS

The NOAA JPSS System is affected by thousands vulnerabilities, according to a memorandum from the Department of Commerce’s Office of the Inspector General.

The Satellite systems at NOAA (National Oceanic and Atmospheric Administration) are affected by thousands of severe vulnerabilities that could be exploited by threat actors hit them.

The disconcerting news refers the findings of an audit conducted by the Department of Commerce’s Office of the Inspector General (OIG), the bureaus has recently examined Joint Polar Satellite System’s (JPSS) ground system discovering a series of major flaws.

The NOAA JPSS in an example of the next generation of polar-orbiting environmental satellites, its ground system is used to collect data from several polar-orbiting weather satellites, and provide the information to the users. The JPSS infrastructure is also used control and process data for current and future weather satellites.

The NOAA JPSS is ranked as a “High Impact” IT system because any attack could cause catastrophic effects on organizational operations and individuals.

“Our analysis of the JPSS program’s assessments of system vulnerabilities found that, since FY 2012, the number of high-risk vulnerabilities in the system had increased by two-thirds despite recent efforts the program has taken to remediate these vulnerabilities,” reports a memorandum from Allen Crawley, assistant inspector general for systems acquisition and IT security, to Kathryn Sullivan, under secretary of commerce for oceans and atmosphere and NOAA administrator.

The number of high-risk vulnerabilities identified during the assessments conducted in the last couple of years is amazing, it rose from 14,486 in the first quarter of the fiscal year (FY) 2012 to 23,868 in the second quarter of FY 2014 (+ 165%).

“If exploited, these [high-risk] vulnerabilities may make it possible for attackers to significantly disrupt the JPSS mission of providing critical data used in weather forecasting and climate monitoring,” Crawley states in the memorandum.

Due to the nature of satellite systems and their life-cycle, some of the vulnerabilities discovered by the security experts are difficult to fix.

Fortunately, many of the identified high-risk flaws can be fixed with a little effort to apply minor alterations to the NOAA systems, for example correctly configuring more than 3,600 instances of password and auditing settings.

The vulnerability assessment revealed that:

More than 9,100 instances of high-risk vulnerabilities identified by vulnerability scans, including (a) out-of-date software versions or missing security patches, (b) insecurely configured software, and (c) unnecessary user privileges within the operating systems and software.
More than 3,600 instances where password and auditing settings need to be configured in accordance with JPSS policy.
Unnecessary software applications that need to be removed or disabled.
Three outstanding vulnerabilities identified by penetration testing conducted in June 2012.

The experts at NOAA received the recommendations in the memorandum implementing for them the necessary fix, like is happened for a Heartbleed vulnerability that was remedied during the third quarter of FY 2014.

Pierluigi Paganini

(Security Affairs – NOAA satellite system, critical infrastructure)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.