Network security

GOautodial vulnerabilities put call center network security at stake

Bugs now fixed were easy to exploit, but required prior authentication / network access

GOautodial, an open source call center software suite with 50,000 users worldwide, fixed two vulnerabilities that could lead to information disclosure and remote code execution (RCE).

Discovered by Scott Tolley of the Synopsys Cybersecurity Research Center (CyRC), the first bug – followed as CVE-2021-43175 – was classified as medium severity.

An API router accepts a username, password, and action that point to other PHP files that implement the various API functions.

However, vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any value for these parameters and successfully authenticate.

This allows the caller to name and call a second PHP file without having valid credentials for the GOautodial system.

Learn about the latest hacking news

“The first vulnerability – the interrupted authentication on the GOautodial API – allows any attacker with network access to the GOautodial server to simply ask it for a set of configuration data, without any type of user account or valid password,” explains Tolley. The daily sip.

“This configuration data includes sensitive data such as default passwords for other devices and applications on the network that an attacker could then exploit to attack other system components.”

This could include other related systems on the network, such as telephones or VoIP services.

RCE authenticated

Another vulnerability, CVE-2021-43176, allows any user authenticated at any level to execute code remotely, which allows him to have full control over the GOautodial application on the server.

Highly serious, it allows an attacker to steal data from colleagues and clients, and even rewrite the application to introduce malicious behavior.

“The second vulnerability – remote code execution – allows any regular user of the software, such as an individual call center employee, to do just about anything they want: delete all data, steal all data, intercept passwords, spoof messages, ”says Tolley.

“This is serious business, because it means that any individual user at any level could compromise the integrity of the entire call center; or any attacker who accesses the account of such a user.

DON’T FORGET TO READ Tonga’s top-level domain flaws left Google, Amazon and Tether’s web services vulnerable to takeover

According to researchers, versions of the GOautodial API from or before commit b951651 on September 27, 2021, appear to be vulnerable, including the latest publicly available ISO installer GOautodial-4-x86_64-Final-2011010-0150 .iso.

“Both vulnerabilities are easy to exploit for anyone with technical skills. Non-technical users, however, would find it difficult to do this effectively, ”says Tolley.

“Unfortunately, it would be easy to develop and package an easy-to-use exploit for non-technical attackers.”

Tolley disclosed the vulnerabilities in GOautodial on September 22, and they were patched on October 20. Synopsys validated the patch on November 17th and Synopsis released its advisory December 7.

“The disclosure process with the GOautodial team went smoothly and they quickly patched both vulnerabilities,” said Tolley.

READ MORE Drive-by RCE in Windows 10 ‘can be run with one click’

Source link