Secret backdoors found in German-made Auerswald VoIP system

Several backdoors were discovered during a firmware penetration test of a widely used Voice over Internet Protocol (VoIP) appliance from Auerswald, a German telecommunications equipment maker, that could be abused to gain full administrative access to devices.

“Two backdoor passwords were found in the firmware of the COMpact 5500R PBX,” RedTeam Pentesting researchers said in a technical analysis released Monday. “A backdoor password is for the secret user ‘Schandlah‘, the other can be used for the most privileged user’administrator. ‘ No way has been discovered to disable these backdoors. “

GitHub automatic backups

The vulnerability has been assigned the identifier CVE-2021-40859 and has a critical severity rating of 9.8. Following a responsible disclosure on September 10, Auerswald addressed the issue in a firmware update (version 8.2B) released in November 2021. “Firmware update 8.2B contains security updates important things that you absolutely must apply, even if you don’t need the advanced features, ”the company said in a post without directly referring to the problem.

The PBX, short for Private Branch Exchange, is a switching system in the service of a private organization. It is used to establish and control telephone calls between telecommunications terminals, including regular telephones, destinations on the public switched telephone network (PSTN) and devices or services on VoIP networks.

RedTeam Pentesting said it discovered the backdoor after starting to take a closer look at a service provided by Auerswald in case a customer loses access to their administrator account, in which case the password associated with a privileged account can be reset. by contacting the manufacturer.

VoIP system Auerswald

Specifically, the researchers found that the devices are configured to look for a hard-coded “Schandelah” username in addition to “sub-administrator,” the account needed to manage the device, according to official documentation. “It turns out that Schandelah is the name of a small village in northern Germany where Auerswald produces its devices,” the researchers said.

A follow-up investigation by the German penetration testing company found that “the password for this username is derived from the concatenation of the PBX serial number, the string” r2d2 “and the current date [in the format ‘DD.MM.YYYY’], hashing it with the MD5 hashing algorithm and taking the first seven lowercase hexadecimal characters from the result. “

VoIP system Auerswald

Simply put, all an attacker needs to generate the password for the “Schandelah” username is to get the serial number of the PBX – information that can be trivially retrieved using ‘an unauthenticated endpoint (“https: //192.168.1[.]2 / about_state “), allowing the wrong actor to access a web interface that allows the administrator password to be reset.

Prevent data breaches

In addition to this, the researchers said they identified a second backdoor when the administrative username “admin” is passed, for which a fallback password is programmatically derived using the aforementioned algorithm, the only difference being that a two letter country code is suffixed to the concatenated string before creating the MD5 hash. The alternate password, as in the previous case, provides privileged access to the PBX without having to change the password first.

“By using the backdoor, attackers gain access to the PBX with the highest privileges, which allows them to completely compromise the device,” the researchers said. “Backdoor passwords are not documented. They secretly coexist with a documented password recovery feature supported by the vendor. “

Source link

Comments are closed.