Vulnerability Summary
| Field | Details |
|---|---|
| CVE ID | CVE-2026-29128 |
| Affected Product | IDC SFX2100 Satellite Receiver |
| Vendor | International Datacasting Corporation |
| Vulnerability Type | Insecure Configuration / Plaintext Credential Exposure |
| Severity | High |
| CVSS Score | 7.5 (Estimated) |
| Attack Vector | Local / Adjacent Network |
| Privileges Required | Low |
| User Interaction | None |
| Exploitability | Moderate |
| Exploit Availability | No public weaponized exploit reported |
| Impact | Credential disclosure, routing manipulation, network service compromise |
| Affected Components | Routing daemon configuration files |
| Affected Files | zebra.conf, bgpd.conf, ospfd.conf, ripd.conf |
A security weakness has been identified in the IDC SFX2100 satellite receiver where multiple routing daemon configuration files are stored with insecure permissions and contain plaintext credentials. These files are readable by unintended users within the system environment. If an attacker gains limited system access, sensitive routing daemon credentials may be obtained and used to manipulate internal routing services.
The device firmware includes configuration files for routing services responsible for managing network traffic across satellite communication infrastructure. Improper permission settings allow these files to be accessed without administrative privileges. Because authentication secrets are stored directly in configuration files, credentials may be exposed simply by reading the files.
This condition introduces the risk of unauthorized interaction with routing daemons, allowing attackers to potentially modify routing behavior, intercept traffic, or disrupt communication services.
Affected Systems
The vulnerability affects systems running firmware versions of the IDC SFX2100 Receiver where routing daemon configuration files are stored with world-readable permissions.
Affected daemon configurations typically include:
- Zebra routing manager
- BGP daemon (bgpd)
- OSPF daemon (ospfd)
- RIP daemon (ripd)
Configuration files commonly located within the system include:
/etc/quagga/zebra.conf
/etc/quagga/bgpd.conf
/etc/quagga/ospfd.conf
/etc/quagga/ripd.conf
These files contain parameters used by the routing framework embedded within the receiver.
Technical Description
Routing functionality within the device is managed by a set of daemon processes responsible for maintaining routing tables and handling routing protocol communication. These daemons rely on configuration files that contain authentication credentials and administrative control settings.
The vulnerability exists because the configuration files are stored with permissions that allow any authenticated system user to read them. In many cases the permissions appear similar to the following:
-rw-r--r-- zebra.conf
-rw-r--r-- bgpd.conf
-rw-r--r-- ospfd.conf
-rw-r--r-- ripd.conf
This permission structure means the files are readable by all users, not just administrators.
Within these files, administrative credentials are commonly defined using directives such as:
enable password routeradmin
password routingcontrol
Because the credentials are not encrypted or hashed, they can be immediately extracted and used to authenticate to routing services.
The routing daemons usually listen on internal management ports, allowing administrators to manage routing behavior. If an attacker gains access to the credentials, these services can be controlled remotely or locally.
Root Cause
The vulnerability is introduced by several insecure configuration practices.
Improper file permission settings allow configuration files containing sensitive credentials to be readable by unintended users. Sensitive authentication data is stored in plaintext within daemon configuration files rather than protected through encryption or secure credential storage mechanisms.
Additionally, the system architecture relies on configuration-based authentication for routing services. Because those credentials are embedded directly in files accessible from the filesystem, exposure occurs whenever local file access is obtained.
Attack Scenario
A typical attack scenario may involve the following sequence.
First, limited system access is obtained. This access could be achieved through legitimate credentials, service misconfiguration, or another vulnerability present within the device.
Once inside the system environment, the attacker searches for routing daemon configuration files.
ls /etc/quagga/
The configuration files are then inspected.
cat /etc/quagga/zebra.conf
cat /etc/quagga/bgpd.conf
If credentials are present, they can be extracted from the configuration file contents.
Example output:
hostname router
password routercontrol
enable password satelliteadmin
Using these credentials, the attacker may attempt to connect to routing daemon management ports.
Typical daemon management ports include:
| Service | Port |
|---|---|
| Zebra | 2601 |
| RIP | 2602 |
| OSPF | 2604 |
| BGP | 2605 |
An attacker may then authenticate to the routing daemon interface.
telnet localhost 2605
Once authenticated, routing tables may be modified or malicious routes injected.
Potential Impact
If exploited successfully, several consequences may occur.
Network Traffic Manipulation
Attackers could inject unauthorized routing entries or redirect traffic flows.
Data Interception
Satellite communication traffic passing through the device may be intercepted or monitored.
Service Disruption
Routing misconfiguration could lead to broadcast interruptions or network outages.
Infrastructure Pivoting
Routing credentials could allow attackers to interact with other network devices or systems connected to the routing infrastructure.
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Credential Access | Unsecured Credentials | T1552 |
| Discovery | Network Configuration Discovery | T1016 |
| Lateral Movement | Remote Services | T1021 |
| Persistence | Modify System Configuration | T1543 |
| Impact | Network Denial of Service | T1498 |
Proof of Concept (Educational Purpose Only)
No publicly distributed exploit has been confirmed, but the weakness can be demonstrated through simple system interaction.
Example validation steps:
ssh user@receiver-ip
List routing configuration files:
ls -l /etc/quagga/
Search for passwords:
grep password /etc/quagga/*.conf
Possible output:
bgpd.conf: password bgpcontrol
zebra.conf: enable password routeradmin
Attempt connection to daemon:
telnet localhost 2605
Authentication using extracted credentials may provide access to routing configuration commands.
Indicators of Compromise
Security teams may observe several indicators when exploitation attempts occur.
- Unusual read activity on routing daemon configuration files
- Unauthorized access attempts to routing management ports
- Unexpected changes to routing tables
- Suspicious shell commands related to network configuration
- Connections initiated toward routing daemon service ports
Detection
File Access Monitoring
Access to routing configuration files should be monitored for unusual behavior.
Files to monitor:
/etc/quagga/zebra.conf
/etc/quagga/bgpd.conf
/etc/quagga/ospfd.conf
/etc/quagga/ripd.conf
Unexpected access from non-administrative users may indicate reconnaissance or credential harvesting.
Detection Rules
Sigma Rule
title: Suspicious Access to Routing Daemon Configuration Files
id: cve-2026-29128-config-access
status: experimental
description: Detects access to routing daemon configuration files which may contain plaintext credentials
logsource:
product: linux
category: file_accessdetection:
selection:
FileName|contains:
- zebra.conf
- bgpd.conf
- ospfd.conf
- ripd.confcondition: selectionlevel: high
Splunk Detection Query
index=os_logs
("/etc/quagga/zebra.conf" OR "/etc/quagga/bgpd.conf" OR "/etc/quagga/ospfd.conf" OR "/etc/quagga/ripd.conf")
| stats count by user, process, host
Microsoft Sentinel (KQL)
Syslog
| where SyslogMessage contains "/etc/quagga/"
| where SyslogMessage contains "zebra.conf"
or SyslogMessage contains "bgpd.conf"
or SyslogMessage contains "ospfd.conf"
or SyslogMessage contains "ripd.conf"
| project TimeGenerated, Computer, SyslogMessage
Elastic Detection Query
file.path : ("/etc/quagga/zebra.conf" OR "/etc/quagga/bgpd.conf" OR "/etc/quagga/ospfd.conf" OR "/etc/quagga/ripd.conf")
OSQuery Detection
SELECT *
FROM file_events
WHERE path LIKE '/etc/quagga/%';
Log Sources
The following telemetry sources may assist in identifying exploitation attempts.
Operating System Logs
- Linux audit logs
- File access monitoring logs
- Authentication logs
- Shell command history
Network Security Logs
- Firewall connection logs
- IDS/IPS alerts
- NetFlow or packet monitoring
System Monitoring
- EDR telemetry
- Host intrusion detection systems
- System daemon logs
Application Logs
- Routing daemon service logs
- System service activity logs
Mitigation
The vulnerability can be mitigated by applying the following security measures.
Restrict Configuration File Permissions
Permissions should be restricted so that only administrative users can read the configuration files.
chmod 600 /etc/quagga/*.conf
Remove Plaintext Passwords
Authentication credentials should be replaced with encrypted secrets or hashed passwords.
Disable Unused Routing Services
If routing functionality is not required, the daemons should be disabled.
systemctl disable bgpd
systemctl disable ospfd
systemctl disable ripd
Network Segmentation
Management interfaces and routing daemon ports should be restricted using firewall rules.
Official Patch / Vendor Upgrade
The vulnerability has been addressed through updated firmware provided by the vendor. Systems should be upgraded to the latest firmware release made available by International Datacasting Corporation.
Official update information is available at:
Upgrading the firmware corrects the insecure file permissions and improves credential handling within routing daemon configuration files.
