The flaws have been confirmed by Grandstream, but no firmware update has nevertheless been issued.
A number of substantial-severity vulnerabilities in the Grandstream HT800 collection of Analog Phone Adaptors (ATAs) threaten home business and midrange customers alike, with outages, eavesdropping and device takeover.
The HT800 series of ATAs is built for absolutely everyone from dwelling or smaller-workplace end users to medium-sized businesses, hunting to hook up their analog phone products to a VoIP network, unified communications method or other IP-based mostly communications infrastructure. According to investigation from Tenable, the products have 4 stressing flaws, all of them unpatched as of this writing.
The bug tracked as CVE-2020-5760 (score 7.8 out of 10 on the CvSS scale) could permit command injection throughout the provisioning method. Unauthenticated distant attackers can execute arbitrary instructions as root by crafting a exclusive configuration file and sending a crafted SIP message.
“Tenable located the HT800 sequence is vulnerable to command injection through the configuration file when P240 is set to 1 and P2 (password) consists of shell metacharacters,” the business said in its advisory, launched this 7 days. “Furthermore, Tenable identified that an unauthenticated remote attacker could result in this injection through a x-gs-ucm-url SIP information.”
Tenable also revealed a evidence-of-notion exploit, which success in a root shell on the gadget, making it possible for total compromise.
Meanwhile, CVE-2020-5761 is an infinite loop difficulty in the TR-069 provider (rated 7.5 out of 10 on the CvSS scale) that can end result in CPU exhaustion. The TR-069 is a technological specification of the Broadband Discussion board that defines an software layer protocol for remote administration of consumer-premises machines (CPE) related to IP networks. In Grandstream’s ATA implementation of it, a bug could permit an unauthenticated remote attacker to set off an exploit by sending a one particular-character TCP concept to the assistance.
“The device’s TR-069 service falls into an infinite loop if an unauthenticated, distant attackers sends a TCP concept that doesn’t contain a carriage return character (‘r’),” explained Tenable, in its advisory. “The TR-069 support will then consume almost all of the system’s CPU until the procedure is rebooted.”
The bug is “trivial” to trigger, the company extra.
The TR-069 services is also at the coronary heart of the 3rd issue, CVE-2020-5762 (rating 7.5 out of 10 on the CvSS scale). This is a denial-of-assistance issue brought about by a NULL pointer dereference in the TR-069 company. The affliction is activated owing to mishandling of the HTTP Authentication area, according to the CVE description.
“The device’s TR-069 company will crash thanks to a NULL pointer dereference when an unauthenticated remote HTTP GET request includes an authentication industry that is not a properly-fashioned digest-obstacle,” according to Tenable. “The TR-069 provider doesn’t get restarted after the crash…This is conveniently reproduced by working with primary authentication with curl.”
And finally, CVE-2020-5763 (rating 8.8 out of 10 on the CvSS scale) is a SSH backdoor permitting a root shell, first uncovered by Lorenzo Santina (BigNerd95) back again in January. ” An authenticated remote attacker can obtain a root shell by appropriately answering a obstacle prompt,” in accordance to the SVE description.
All for now remain unaddressed. Grandstream HT800 collection present-day firmware model 1..17.5 and below is susceptible to all four bugs.
“At the time of publication, no solution exists,” Tenable pointed out.
Threatpost has arrived at out to Grandstream about the timeline for issuing a take care of for the issues. But in the disclosure timeline, it’s noted that fixes for all the bugs have at minimum been made and tested with positive final results both by Grandstream internally and by Tenable, as of June 22.
Grandstream has operate into other cybersecurity problems in the previous final yr, a sequence of both unauthenticated and authenticated remote code-execution vulnerabilities were being uncovered in a wide range of Grandstream goods for little to medium-sized firms, such as audio and online video conferencing models, IP video phones, routers and IP PBXs.
Complimentary Threatpost Webinar: Want to study much more about Private Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Private Computing Roundtable” provides top rated cloud-security industry experts from Microsoft and Fortanix together to investigate how Confidential Computing is a game changer for securing dynamic cloud knowledge and preventing IP exposure. Sign up for us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, program architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both equally with the Private Computing Consortium. Register Now.