Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection

2013.06.15
Credit: Stefan
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

SEC Consult Vulnerability Lab Security Advisory < 20130614-0 > ======================================================================= title: Multiple vulnerabilities in Siemens OpenScape Branch and OpenScape Session Border Controller product: Siemens OpenScape Branch Siemens OpenScape Session Border Controller (SBC) vulnerable version: OpenScape Branch / SBC, all versions prior to V2 R0.32.0 or V7 R1.7.0 fixed version: V2 R0.32.0 or V7 R1.7.0 (Branch) V2 R0.32.0 or V7 R1.7.0 (SBC) impact: Critical homepage: http://www.siemens-enterprise.com/ found: 2012-09-14 by: Stefan Viehbck, Michael Heinzl, Florian Lukavsky SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "OpenScape Branch is a SIP based, Voice over IP application and appliance that assures continuance of communication services for OpenScape Voice users in remote branch offices. Unlike other simple survivable remote branch solutions, OpenScape Branch provides value beyond survivability by adding important local capabilities such as Media Server, Firewall, and Session Border Controller (SIP Trunking). The integration of all this capability into a single solution simplifies and reduces the complexity of a remote office installation." Source: http://www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/openscape-branch.aspx "OpenScape Session Border Controller is the smartest and most affordable way for OpenScape Voice and HiPath 4000 customers to realize the cost-saving advantages of secure SIP trunking to IP networks, remote offices and workers. Designed with lowest total cost of ownership in mind, it is a next generation virtualized application ready for data center deployment as part of a unified communications solution. OpenScape Session Border Controller provides built-in SIP-aware security capability that includes dynamic opening and closing of firewall pinholes for media connections, SIP protocol validation, Denial of Service mitigation, and network topology hiding. It also supports TLS encryption on both the core- and access-side SIP signaling interfaces as well as SRTP media encryption for both pass-through and termination mediation scenarios." Source: http://www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/session-border-controller.aspx Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of the OpenScape Branch / OpenScape Session Border Controller in the course of a very limited infrastructure audit. Very little time was spent on the affected products. Some components have been spot-checked, while others have not been tested at all. Since VoIP traffic passes through the appliance, interception of phone calls might be possible. The system can be used as an entry point for further attacks on the VoIP infrastructure and can thus severely harm the confidentiality of sensitive information. The recommendation of SEC Consult is to restrict network access to the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. The vendor recommends the implementation of the "Security Checklist for OpenScape Branch and SBC". The specific issues mentioned here are not mitigated by these measures. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated access to statistics / information disclosure Unauthenticated users can access server statistics. These statistics give detailed system information including CPU, memory and disk usage, uptime, etc. 2) Reflected Cross-Site Scripting (XSS) Several XSS vulnerabilities were identified. These vulnerabilities e.g. enable effective session hijacking attacks. 3) Unauthenticated local file disclosure Unauthenticated users can read arbitrary files from the filesystem with the privileges of the webserver. These files include configuration files containing sensitive information, all of which might be used in further attacks on the VoIP infrastructure. 4) Unauthenticated OS command injection Unauthenticated users can execute arbitrary commands on the underlying operating system with the privileges of the webserver. This can be used to get persistent access to the affected system (eg. by planting backdoors) or accessing all kinds of locally stored information. The system can be used as an entry point for further attacks on the VoIP infrastructure. Proof of concept: ----------------- Detailed proof of concept URLs or exploit code have been removed from this advisory. 1) Unauthenticated access to statistics / information disclosure The following POST request returns detailed information about the server: <removed> Affected script: /core/getLog.php 2) Reflected Cross-Site Scripting (XSS) The following request executes attacker-supplied JavaScript in a victim's browser: <removed> Affected script: /core/handleTw.php 3) Unauthenticated local file disclosure The following POST request shows how files can be extracted from the file system: <removed> Affected script: /core/getLog.php 4) Unauthenticated OS command injection The following POST request shows how arbitrary OS commands can be executed on the system: <removed> Affected script: /core/getLog.php Vulnerable / tested versions: ----------------------------- OpenScape Branch, all versions OpenScape SBC, all versions Vendor contact timeline: ------------------------ 2012-10-02: Delivering audit report to mutual customer 2013-03-22: Planned disclosure, but delayed since vulnerabilities were only fixed partially 2013-06-14: Coordinated disclosure (OBSO-1306-01) Solution: --------- Update to one of the following versions: OpenScape Branch: V2 R0.32.0 or V7 R1.7.0 OpenScape SBC: V2 R0.32.0 or V7 R1.7.0 Customers with OpenScape Branch V1 R4, should upgrade to V2 or higher. If a customer is unable to upgrade as recommended at this time, an alternate upgrade to at least V1 R4.17.0 will reduce the risk from high to medium. A patch for V7 R0 will not be released, customers are urged to upgrade to V7 R1. Vendor advisories are only available via an advisory newsletter service (email). Information on this advisory is published in Siemens advisory OBSO-1306-01. Information on how to subscribe can be found at: http://wiki.siemens-enterprise.com/images/c/ce/Security_Policy_-_Vulnerability_Intelligence_Process.pdf Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehbck / @2013

References:

http://jaist.dl.sourceforge.net/project/librettocms/librettoCMS_v.2.2.2.zip
http://cxsecurity.com/issue/WLB-2013050190


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top