Critical Security Bugs Uncovered in VoIPmonitor Monitoring Software

Critical security vulnerabilities have been uncovered in VoIPmonitor software program that, if efficiently exploited, could allow for unauthenticated attackers to escalate privileges to the administrator stage and execute arbitrary instructions.

Adhering to liable disclosure by researchers from Kerbit, an Ethiopia-centered penetration-testing and vulnerability investigation company, on December 15, 2021, the issues ended up addressed in edition 24.97 of the WEB GUI shipped on January 11, 2022.

“[F]ix critical vulnerabilities – new SQL injects for unauthenticated end users permitting gaining admin privileges,” the maintainers of VoIPmonitor pointed out in the alter log.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

VoIPmonitor is an open up-supply network packet sniffer with professional frontend for SIP RTP and RTCP VoIP protocols jogging on Linux, letting buyers to keep track of and troubleshoot top quality of SIP VoIP calls as effectively as decode, play, and archive phone calls in a CDR database.

The a few flaws recognized by Kerbit is under –

• CVE-2022-24259 (CVSS score: 9.8) – An authentication bypass bug in the “cdr.php” component of the GUI that enables an unauthenticated attacker to elevate privileges by means of a specifically crafted ask for.
• CVE-2022-24260 (CVSS score: 9.8) – An SQL injection vulnerability that takes place in the “api.php” and “utilities.php” factors of the GUI that makes it possible for attackers to escalate privileges to the administrator level and retrieve sensitive data.
• CVE-2022-24262 (CVSS rating: 7.8) – A distant command execution through the GUI’s configuration restore operation due to a lacking check out for archive file formats, letting a lousy actor to execute arbitrary instructions through a crafted file.

“The key rationale that the only bug in this article is the point that we are permitted to add any file extension and that we can attain the uploaded documents to get them to execute,” Kerbit researcher Daniel Eshetu, who found out the flaws, mentioned in a publish-up.

Found this article interesting? Stick to THN on Facebook, Twitter  and LinkedIn to browse extra special articles we submit.