Now-patched bugs were easy to exploit, but required prior authentication/network access
GOautodial, an open source call center software suite with 50,000 users around the world, has patched two vulnerabilities that could lead to information disclosure and remote code execution (RCE).
Unearthed by Scott Tolley of the Synopsys Cybersecurity Research Center (CyRC), the first bug – tracked as CVE-2021-43175 – has been rated medium severity.
An API router accepts a username, password, and action that routes to other PHP files that implement the various API functions.
However, vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate.
This allows the caller to name and call a second PHP file without having any valid credentials for the GOautodial system.
“The first vulnerability – broken authentication on the GOautodial API – allows any attacker with network access to the GOautodial server to simply request a set of configuration data from it, without any kind of valid user account or password, Tolley tells The Daily Swig.
“This configuration data includes sensitive data such as default passwords for other devices and applications on the network that an attacker could then leverage to attack other components of the system.”
This could include other related systems on the network, such as VoIP phones or services.
Another vulnerability, CVE-2021-43176, allows any authenticated user at any level to perform remote code execution, allowing them to gain complete control over the GOautodial application on the server.
Rated high severity, it allows an attacker to steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behavior.
“The second vulnerability – remote code execution – allows any regular user of the software, such as an individual call center worker, to do pretty much anything they like: delete all the data, steal all the data, intercept passwords, falsify messages,” says Tolley.
“This is serious stuff, as it means that any individual user at any level could compromise the integrity of the entire call center; or any attacker that gains access to the account of such a user.”
According to the researchers, versions of the GOautodial API from or prior to commit b951651 on September 27, 2021, appear to be vulnerable, including the latest publicly available ISO installer GOautodial-4-x86_64-Final-20191010-0150.iso.
“Both vulnerabilities are easy to exploit for anyone with any technical ability. Non-technical users would struggle to do so effectively, however,” says Tolley.
“Unfortunately, it would be easy to develop and package an easy-to-use exploit for non-technical attackers to take advantage of.”
Tolley disclosed the vulnerabilities to GOautodial on 22 September, and they were fixed on October 20. Synopsys validated the fix on November 17, and Synopsys published its advisory on December 7.
“The disclosure process with the GOautodial team was smooth, and they have quickly patched both vulnerabilities,” Tolley says.