innovaphone fixed several vulnerabilities in two VoIP products that we disclosed a while ago. The affected products are the Linux Application Platform and the IPVA. Unfortunately, the release notes are not public (yet?) and the vendor does not include information about the vulnerabilities for the Linux Application Platform. Therefore, we decided to publish some more technical details for the issues.
Multiple Vulnerabilities in Linux Application Platform
The Linux Application Platform was affected by three vulnerabilities that could be chained to get full root access to a target system. However, the initial access vector is only exploitable by authenticated users. The vulnerabilities have been identified on the Linux Application Platform V10 SR41. According to the vendor they have been fixed in V10 SR57.
Arbitrary File Read in Linux Application Platform
The Linux Application Platform allows authenticated users to read arbitrary system files via the “download log” functionality. Whenever an authenticated user clicks on one of the “download log” buttons in the Linux Application Platform web interface, the user’s browser will reference the corresponding log file with an absolute file system path. An attacker can change this path to download any system file. This allows downloading all files that are readable by the user of the web server process.
Command Injection in Linux Application Platform
The Linux Application Platform is vulnerable to a command injection vulnerability in the diagnostics.php file. The “clear log” button action in diagnostics.php includes user input in system() calls without any input sanitization. This allows running arbitrary system commands with the privileges of the web server process (www-data).
Local Privilege Escalation in Linux Application Platform
The www-data user is only allowed to run a couple of commands via sudo. One of them is the /usr/local/bin/config.sh script, which has a feature that allows running arbitrary script files. Combined with the previous two vulnerabilities, this allows getting full system access with root privileges.
Open Redirect Vulnerability in IPVA
The IPVA was vulnerable to an open redirect vulnerability in a GET-parameter. It would allow an attacker to craft URLs for an IPVA instance that include an URL to an attacker-controlled system in the affected parameter. If the attacker is able to trick someone to click on this link, the client would access the allegedly safe URL to a trusted system, but it would redirect him to an attacker-controlled destination.
We have identified this vulnerability in IPVA 12r1 sr23 and it has been fixed in 13r1.
- 08.07.2019 – Public disclosure of vulnerabilities
- 08.07.2019 – Fixed versions release by innovaphone AG
- 02.07.2019 – Response from the vendor with a status update
- 19.06.2019 – Trying to get a status update from the vendor
- 15.05.2019 – Trying to get a status update from the vendor
- 25.03.2019 – The start of a 90 day disclosure period of the vulnerability by ERNW GmbH to innovaphone AG
If you run those products in your environment, I strongly recommend you to get and install the new innovaphone updates.