Fuze, a maker of popular enterprise-grade voice-over-IP handsets, earlier this year patched three vulnerabilities that exposed user account information and enabled unauthorized authentication.
The issues were made public today by researchers at Rapid7 who privately disclosed the flaws on April 12. Fuze turned around fixes for each of the vulnerabilities by May 6, but public disclosure was delayed until today.
The flaws were found in Fuze’s TPN Handset Portal; the Massachusetts company was formerly known as ThinkingPhones but changed its name in 2016. Fuze’s handsets and portals support voice, messaging and collaboration services, and are widely deployed in businesses, including Rapid7.
“Fuze has no evidence of any bad actors exploiting this vulnerability to compromise customer data,” said Chris Conry, Fuze CIO.
The most serious of the vulnerabilities, Rapid7 program manager Samuel Huckins said, allows a remote attacker to gain access to an administration interface. In an advisory published this morning, Rapid7 said an attacker could browse to a URL and append a valid MAC address for a handset and get a response that discloses the Fuze user’s, email address, account name and location and a link to the administrative interface, all returned over HTTP without authentication.
“The URL is determined by the MAC address of the phone,” Huckins said. “You could turn [the handset] over and find the base URL and not get prompted for authentication before Fuze fixed it.”
An attacker could also leverage this flaw to enumerate all of Fuze’s customers.
“While the total possible MAC address space is large (48 bits), the practical space in this case is significantly less,” Rapid7 said. “An attacker would only need to enumerate options starting with related published OUIs to target the subset of MAC addresses for Polycom and Yealink phones, which are the officially supported phone brands that Fuze offers.”
Rapid7 added that handsets commonly request configuration data from a remote server, the cloud-based service and the ability to enumerate via MAC addresses posed a specific issue to these devices.
Fuze also encrypted traffic between its handsets and the TPN portal, adding TLS to that bit of network communications, Huckins said. This action prevents an attacker already on the network in a man-in-the-middle position from sniffing any traffic as the handset boots or makes requests to the portal. Huckins added that a lower-level update channel for firmware updates was already protected with TLS; it’s unknown why this channel was not.
The remaining vulnerability was a lack of restrictions imposed on the number of authentication attempts to the administration portal, exposing it to brute-force attacks.
“On the network, you can no longer just try credentials over and over,” Huckins said. “There is now a rate limit in place.”
Huckins said Rapid7 has been using the handsets for some time for internal calls and meetings, and earlier this year, its IT team spotted these issues while going through some configuration updates. He said there’s no indication that anyone had abused these vulnerabilities, or was specifically looking for them.
“This is a bit of a blind spot when you’re using a vendor who has hardware or your network and resources on the internet. There may be some risks or aspects of the product you may not know about,” Huckins said. “I would say if someone got access to the internal network and was sniffing around, this might come up and be of interest. This is not something someone is going to look for in a targeted way.”