4 Unpatched Bugs Plague Grandstream ATAs for VoIP Users

grandstream ht800 security bugs

The flaws have been confirmed by Grandstream, but no firmware update has yet been issued.

UPDATE

Multiple high-severity vulnerabilities in the Grandstream HT800 series of Analog Telephone Adaptors (ATAs) threaten home office and midrange users alike, with outages, eavesdropping and device takeover.

The HT800 series of ATAs is designed for everyone from home or small-office users to medium-sized businesses, looking to connect their analog telephone devices to a VoIP network, unified communications system or other IP-based communications infrastructure. According to analysis from Tenable, the models have four worrying  flaws, all of them unpatched as of this writing.

“Two of the four flaws allow attackers to crash the devices, which would then require an administrator to reboot them,” Jimi Sebree, principal research engineer at Tenable, told Threatpost. “The other two, if successfully exploited, would give an attacker complete control over the affected devices. This would allow them to intercept any traffic designated for the devices, use the devices as part of a botnet, distribute malware, etc.”

The bug tracked as CVE-2020-5760 (rating 7.8 out of 10 on the CvSS scale) could allow command injection during the provisioning process. Unauthenticated remote attackers can execute arbitrary commands as root by crafting a special configuration file and sending a crafted SIP message.

“Tenable found the HT800 series is vulnerable to command injection via the configuration file when P240 is set to 1 and P2 (password) contains shell metacharacters,” the firm said in its advisory, released this week. “Furthermore, Tenable found that an unauthenticated remote attacker could trigger this injection via a x-gs-ucm-url SIP message.”

Tenable also published a proof-of-concept exploit, which results in a root shell on the device, allowing full compromise.

Meanwhile, CVE-2020-5761 is an infinite loop problem in the TR-069 service (rated 7.5 out of 10 on the CvSS scale) that can result in CPU exhaustion. The TR-069 is a technical specification of the Broadband Forum that defines an application layer protocol for remote management of customer-premises equipment (CPE) connected to IP networks. In Grandstream’s ATA implementation of it, a bug could allow an unauthenticated remote attacker to trigger an exploit by sending a one-character TCP message to the service.

“The device’s TR-069 service falls into an infinite loop if an unauthenticated, remote attackers sends a TCP message that doesn’t contain a carriage return character (‘\r’),” explained Tenable, in its advisory. “The TR-069 service will then consume almost all of the system’s CPU until the system is rebooted.”

The bug is “trivial” to trigger, according to Sebree. “Exploitation would depend on whether or not the affected features are enabled. In many environments, these features are enabled by default. In that scenario, exploitation is trivial,” he told Threatpost.

The TR-069 service is also at the heart of the third issue, CVE-2020-5762 (rating 7.5 out of 10 on the CvSS scale). This is a denial-of-service issue caused by a NULL pointer dereference in the TR-069 service. The condition is triggered due to mishandling of the HTTP Authentication field, according to the CVE description.

“The device’s TR-069 service will crash due to a NULL pointer dereference when an unauthenticated remote HTTP GET request contains an authentication field that isn’t a well-formed digest-challenge,” according to Tenable. “The TR-069 service doesn’t get restarted after the crash…This is easily reproduced by using basic authentication with curl.”

And finally, CVE-2020-5763 (ranking 8.8 out of 10 on the CvSS scale) is a SSH backdoor allowing a root shell, first uncovered by Lorenzo Santina (BigNerd95) back in January. ” An authenticated remote attacker can obtain a root shell by correctly answering a challenge prompt,” according to the SVE description.

All for now remain unaddressed. Grandstream HT800 series current firmware version 1.0.17.5 and below is vulnerable to all four bugs.

“In June, Grandstream notified us that beta patches for these issues were available,” Sebree said. “Moreover, we published our findings following the expiration of the initial 90-day disclosure timeline and per our disclosure policy. We operate under the assumption that if we found it, then someone else will too. This belief brings a sense of urgency to all findings and guides our timelines.”

Threatpost has reached out to Grandstream about the timeline for issuing a fix for the issues. But in the disclosure timeline, it’s noted that fixes for all the bugs have at least been developed and tested with positive results both by Grandstream internally and by Tenable, as of June 22.

Grandstream has run into other cybersecurity trouble in the past; last year, a series of both unauthenticated and authenticated remote code-execution vulnerabilities were uncovered in a variety of Grandstream products for small to medium-sized businesses, including audio and video conferencing units, IP video phones, routers and IP PBXs.

This post was updated at 9:15 a.m. ET to include comments from Tenable’s Sebree.

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.

Suggested articles