Cloudy with a chance of exploits
Security researchers have been able to chain together three separate vulnerabilities to achieve the complete compromise of Pascom’s Cloud Phone System.
Full pre-authenticated remote code execution (RCE) on the business-focused Voice over IP (VoIP) and more general communication platform was achieved by Daniel Eshetu of Ethiopian infosec firm Kerbit by combining a trio of less serious security flaws.
The three components of the successful exploit were made up from a path traversal vulnerability, a server side request forgery (SSRF) flaw in an external piece of software, and a post-authentication RCE issue.
All three bugs have been patched in 7.20.x versions of Passcom’s Cloud Phone System, released in January, long before Kerbit published its findings on Monday (March 7).
Businesses using cloud-based versions of the technology were automatically updated. However, users of the self-hosted version ought to make sure their systems are up to date.
The system runs a Linux-based OS with the technology running in LXC containers providing a variety of services.
The SSRF problem stemmed from an outdated Openfire (XMPP server) jar that was vulnerable to a flaw tracked as CVE-2021-45967. This tracks back to a vulnerability discovered around three years ago, CVE-2019-18394, involving Openfire’s technology.
XMPP is an open communication protocol that handles instant messaging, presence, and contact list functions.
The last vulnerability involved command injection in a scheduled task (CVE-2021-45966).
In response to queries from The Daily Swig, Kermit said he came across flaws in Passcom’s Cloud Phone System as part of a wider research project looking into the security of VoIP systems.
“Our research was not mainly focused on VoIP systems but their web apps and management and the existence of common bugs,” Kermit explained, adding that “we don't think there's any wider advice for all VoIP platforms that’s different from any other system/application.”
On Pascom specifically the number of “affected devices should be very low given that most instances run in Pascoms own infrastructure (cloud) and the patch was applied there,” according to Kerbit.
For its part, Pascom said it wanted to "thank KerbitSec for the quick and effective cooperation in ensuring we closed these vulnerabilities!"