[CVE-2018-10093] Remote Command Injection vulnerability in AudioCode IP phones
The AudioCodes 400HD series of IP phones consists in a range of easy-to-use, feature-rich desktop devices for the service provider hosted services, enterprise IP telephony and contact center markets. The CGI scripts used on the 420HD phone (web interface) do not filter user inputs correctly. Consequently, an authenticated attacker could inject arbitrary commands (Remote Code Execution) and takes full control over the device. For example, it is possible to intercept live communications.Description
The AudioCodes 400HD series of IP phones consists in a range of easy-to-use, feature-rich desktop devices for the service provider hosted services, enterprise IP telephony and contact center markets.
The CGI scripts used on the 420HD phone (web interface) do not filter user inputs correctly. Consequently, an authenticated attacker could inject arbitrary commands (Remote Code Execution) and takes full control over the device. For example, it is possible to intercept live communications.
Vulnerability records
CVE ID: CVE-2018-10093
Access Vector: remote
Security Risk: medium
Vulnerability: CWE-78
CVSS Base Score: 7.2
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Details
The script command.cgi
, used for system monitoring and diagnostics, is vulnerable to a remote command execution attack.
Visiting the /command.cgi?cat%20/etc/passwd
gives the following result:
admin:$1$FZ6rOGS1$54ZXSmjh7nod.kXFRyLx70:0:0:root:/:/bin/sh
Note that the vulnerable page is only available to authenticated users (in possession of the admin configuration password).
Timeline (dd/mm/yyyy)
- 06/03/2018 : Initial discovery
- 17/04/2018 : Vendor contact
- 17/05/2018 : Vendor technical team acknowledgment
- 07/01/2019 : Vendor recommendation to mitigate the issue
- 10/01/2019 : Public disclosure
Fixes
AudioCodes recommends to change the default admin credentials to mitigate the issue.
Affected versions
Theses vulnerabilities have only been tested on the 420HD phone (firmware version: 2.2.12.126).
Credits
a.baube at sysdream dot com