XPD - XPD Advisory https://xpd.se Enghouse Interactive IVR Pro (VIP2000) remote root authentication bypass Vulnerability Advisory ID: XPD-2013-001 CVE reference: CVE-2013-6838 Affected platforms: IVR Pro/Contact Center (VIP2000) platforms with OpenVZ and fallback customization applied Version: 9.0.3 (rel903) Date: 2013-November-18 Security risk: High Vulnerability: IVR Pro (VIP2000) remote root authentication bypass Researcher: Fredrik Soderblom and Peter Norin Vendor Status: Notified / Patch available Vulnerability Disclosure Policy: https://xpd.se/advisories/xpd-disclosure-policy-01.txt Permanent URL: https://xpd.se/advisories/XPD-2013-001.txt ===================================================================== Description: Vulnerable IVR Pro installations allow unauthenticated users to bypass authentication and login as the 'root' user on the device. The SSH private key corresponding to the following public key is public and present on all vulnerable appliances: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA45UvNUI2IZMrRiM77za5FrX+mWv+XI6+Atfey ITcCbnqz1Z0YGVoMlBqAWIIN/GEesDmJ+kgycxd06jMQXBbrb/dkqYjxDM+n3ohf0w8v8xLPc NtnI65AW//BKkWCAizo1t+doQO2i9WszZYyJ1ZA8V32Jt2l49d1EwQAByW3pZKBohKdDcMCvU IRhNzB1GdZUVB0HgOuClA5xnAkc7NNt/Wftd5SsJxOwT9dlDjBcda4+giqokWUCRqF5GEzAva 8HiZjob8ExkNxhGfoZ5gMB7ZFdzZlLRwI3N7vSA6aJbrm2LxBp1npeQ1mpsrLvMkTrdA1GExS QRJQBoZBW7TyQ== Furthermore the SSH private key is not protected with a passphrase. Its fingerprint is: d6:07:41:f2:5c:ca:77:a5:d2:ef:d8:1b:69:1c:17:b4 ===================================================================== Impact If successful, a malicious third party can get full control of the device with little to no effort. The Attacker might reposition and launch an attack against other parts of the target infrastructure from there. ===================================================================== Versions affected: According to Enghouse Interactive the problem is located in an addon product delivered by Enghouse Interactive Professional Services. The addon utilizes OpenVZ to achieve high availability for the IVR Pro platform. IVR Pro/Contact Center (VIP2000) version 9.0.3 (rel903) with OpenVZ and fallback tested. The vendor reports that the following versions are patched: Same release (9.0.3), with latest release of OpenVZ fallback customization, is fixed ===================================================================== Credits This vulnerability was discovered and researched by Fredrik Soderblom and Peter Norin from XPD AB. ===================================================================== History 18-11-13 Initial Discovery 22-11-13 Initial attempt to contact the vendor 23-11-13 Reply from Radek Zalewski, case is assigned to internal resource 26-11-13 Draft of the advisory sent to the vendor 27-11-13 CVE-2013-6838 is assigned 27-11-13 Enghouse Interactive notifies us that patches are ready 15-01-14 Public disclosure ===================================================================== About XPD XPD AB is a privately held company with Headquarters in Stockholm, Sweden. Established in 2002, XPD AB is an independant security consulting and research firm, with a focus on security and perimeter security solutions. https://xpd.se ===================================================================== Disclaimer and Copyright Copyright (c) 2013-2014 XPD AB. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. The information provided in this advisory is provided "as is" without warranty of any kind. XPD AB disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall XPD AB or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if XPD AB or its suppliers have been advised of the possibility of such damages.