A series of both unauthenticated and authenticated remote code-execution vulnerabilities have been uncovered in a variety of Grandstream products for small to medium-sized businesses, including audio and video conferencing units, IP video phones, routers and IP PBXs.
Affected Products
According to Trustwave SpiderLabs research released on Monday and shared exclusively with Threatpost, compromising these devices can allow an attacker to start scanning, installing remote access trojans and attacking other machines on the network that would otherwise be inaccessible; or install arbitrary applications. Attackers can also use the vulnerabilities to gain access to cameras and microphones to turn them into listening devices.
“The most notable aspect of the vulnerabilities is what you can do simply by using the programs that get shipped on the device,” Brendan Scarvell, senior security consultant at Trustwave SpiderLabs, told Threatpost in an interview. “This includes playing audio through the speakers, recording conversations through the microphone, activating cameras and taking photos, installing custom software/malware etc. This is pretty bad for places such boardrooms or executive offices where confidential conversations frequently happen. An attacker can silently eavesdrop into a confidential conversation without anyone knowing the device has actually been compromised. As all the devices are running with root privileges, you have access to do pretty much whatever you want.”
Thus, another danger involves the fact that the affected IP video phones also integrate with their own security door systems.
“I have tested the touchscreen APIs to activate the camera and take a photo,” Scarvell said. “So technically, an attacker could also utilize these built in touchscreen APIs on these devices to let an unauthorized user into the building by using the auth bypass to touch the button on the phone’s screen to unlock the door when someone calls the intercom.”
And finally, an attacker could also uncover the account passwords for the device (which are stored in plain text) which could be helpful in gaining access to other systems on the network if they’re reused.
There are more than 135,000 of these devices quickly searchable on Shodan and publicly exposed, according to the research, with a large subset of them that are vulnerable. It’s also possible that other devices in the Grandstream portfolio contain bugs.
“All other models and end of life products have not been tested, however it’s likely they’re all running very similar firmware and also vulnerable to these attacks,” Scarvell said.
Exploitation
In the real world, these vulnerabilities (details of which are in the advisory) could be exploited in a few ways, according to the researcher. For one, an attack could be as simple as sending an HTTP request to a device on an internal network or to a device on a misconfigured network which has exposed it to the public internet (which is where the Shodan connected device search engine comes in).
“These devices are pretty easy to exploit,” Scarvell told Threatpost. “Some Shodan searching with specific keywords will easily return results.”
The bad news doesn’t stop there, either; all of the unauthenticated remote code-execution (RCE) bugs can also be used in cross-site request forgeries (CSRFs) by an attacker hosting a malicious web page. Due to a vulnerability in the way the phones and audio/video conferencing units check authentication, this malicious webpage can be used to attack a visitor’s local network on a drive-by basis.
“This means that a HTML page can contain malicious code that when someone on a home or work network browses to it on the internet, it silently sprays the victims network with a payload that results in a reverse shell, giving an attacker access to the victim’s network, which makes this a pretty critical vulnerability,” Scarvell said. “Upon successfully hitting one of the devices, an attacker can gain entry into a network that’s otherwise inaccessible. The initial compromised device can then be used to find other devices on network and compromise those.”
Mitigations
Users can protect their networks by upgrading to the latest firmware in most cases; the vulnerabilities were initially reported to Grandstream on December 6th, and the last device was deemed fixed March 1st. However, Trustwave said that the patches provided for the GAC2500 (an audio-conferencing unit) aren’t sufficient, and that the vulnerability still exists.
“The patch does not fix the unauthenticated RCE, meaning at least the audio conferencing devices remain vulnerable,” Scarvell said. “I have not confirmed if this is the case with any of the other devices, but I guess it’s possible that the firmware versions for other devices may also not be fixed.”
Disabling the web interface on the device will stop an exploit from working until Grandstream provides a patched version.
Scarvell added one other caveat as well: “I was unable to install latest firmware updates on an audio conferencing unit that was fresh out of the box without manually installing prior updates,” he explained. “Due to it only indicating it failed to install by a small notification on the screen which disappears quickly. It’s possible that people may have similar experiences in updating their devices and be unaware their update has failed. User’s should confirm that the version matches what’s on the website.”
Threatpost reached out to Grandstream and will update this post with any additional patch information or comments.
In general, medium-sized businesses (SMBs) can take on basic security approaches to protect themselves from exploits from these kinds of vulnerabilities.
“SMBs in the modern, connected business environment face many of the same security risks as larger organizations but are far more resource constrained in what they can invest in protecting their systems and sensitive information,” Scarvell said. “However, at the end of the day, a lot of security comes down to some pretty straightforward and well understood practices, like patch management, network segregation and basic hardening.”
Some specific advice for these devices would be to ensure all devices are up-to-date and running the latest firmware; turn on automatic updates; change all default credentials on the devices for all accounts; run the devices on a separate network from those accessing sensitive information; disabling access to all services that aren’t required on the device; and upgrading any end-of-life devices that are no longer receiving security updates.
Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.
