John Leyden Mar 09, 2022 at 17:52 UTC
Updated: Mar 10, 2022 08:37 UTC
Cloudy with a chance of feats
Security researchers were able to chain together three separate vulnerabilities to achieve the complete compromise of Pascom’s Cloud Phone System.
Full Pre-Authenticated Remote Code Execution (RCE) on enterprise-focused Voice over IP (VoIP) and broader communication platform was performed by Daniel Eshetu of Ethiopian infosec company Kerbit by combining a trio of less severe security flaws.
The three components of the successful exploit consisted of a path traversal vulnerability, a server side request forgery (SSRF) flaw in external software, and a post-authentication RCE issue.
Keep up to date with the latest security research and analysis
All three bugs were fixed in versions 7.20.x of Passcom’s Cloud Phone System, released in January, well before Kerbit released its findings on Monday (March 7).
Companies using cloud versions of the technology were automatically updated. However, users of the self-hosted version should ensure that their systems are up to date.
The system runs a Linux-based operating system with technology running in LXC containers providing a variety of services.
As explained in a Kerbit technical article, the first flaw involved path traversal in Nginx to Tomcat reverse proxy requests (CVE-2021-45968).
The SSRF issue stemmed from an outdated Openfire (XMPP server) jar file that was vulnerable to a flaw identified as CVE-2021-45967. This goes back to a vulnerability discovered about three years ago, CVE-2019-18394, involving Openfire’s technology.
XMPP is an open communication protocol that handles instant messaging, presence, and contact list functions.
The last vulnerability concerned command injection in a scheduled task (CVE-2021-45966).
In response to questions from The daily sipKermit said he discovered flaws in Passcom’s cloud-based phone system as part of a larger research project looking at the security of VoIP systems.
“Our research was not primarily focused on VoIP systems, but on their web applications and management, and whether there are common bugs,” Kermit explained, adding that “we don’t believe there are broader guidance for all VoIP platforms that is different from any other system/application.”
On Pascom in particular, the number of “affected devices should be very low given that most instances are running in Pascom’s own (cloud) infrastructure and the patch has been applied there,” according to Kerbit.
For its part, Pascom noted he wanted to “thank KerbitSec for the quick and efficient cooperation that allowed us to close these vulnerabilities!”
YOU MAY ALSO LIKE SQL injection vulnerability in Moodle e-learning platform could allow database takeover