-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                      XPD - XPD Advisory
                        https://xpd.se

       Enghouse Interactive IVR Pro (VIP2000) remote root
              authentication bypass Vulnerability

Advisory ID: XPD-2013-001
CVE reference: CVE-2013-6838
Affected platforms: IVR Pro/Contact Center (VIP2000) platforms 
 with OpenVZ and fallback customization applied
Version: 9.0.3 (rel903)
Date: 2013-November-18
Security risk: High
Vulnerability: IVR Pro (VIP2000) remote root authentication bypass
Researcher: Fredrik Soderblom and Peter Norin
Vendor Status: Notified / Patch available
Vulnerability Disclosure Policy:
 https://xpd.se/advisories/xpd-disclosure-policy-01.txt
Permanent URL:
 https://xpd.se/advisories/XPD-2013-001.txt

=====================================================================
Description:

Vulnerable IVR Pro installations allow unauthenticated users to 
 bypass authentication and login as the 'root' user on the device.

The SSH private key corresponding to the following public key is
 public and present on all vulnerable appliances:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA45UvNUI2IZMrRiM77za5FrX+mWv+XI6+Atfey
ITcCbnqz1Z0YGVoMlBqAWIIN/GEesDmJ+kgycxd06jMQXBbrb/dkqYjxDM+n3ohf0w8v8xLPc
NtnI65AW//BKkWCAizo1t+doQO2i9WszZYyJ1ZA8V32Jt2l49d1EwQAByW3pZKBohKdDcMCvU
IRhNzB1GdZUVB0HgOuClA5xnAkc7NNt/Wftd5SsJxOwT9dlDjBcda4+giqokWUCRqF5GEzAva
8HiZjob8ExkNxhGfoZ5gMB7ZFdzZlLRwI3N7vSA6aJbrm2LxBp1npeQ1mpsrLvMkTrdA1GExS
QRJQBoZBW7TyQ==

Furthermore the SSH private key is not protected with a passphrase.

Its fingerprint is:
 d6:07:41:f2:5c:ca:77:a5:d2:ef:d8:1b:69:1c:17:b4

=====================================================================
Impact

If successful, a malicious third party can get full control of the
 device with little to no effort. The Attacker might reposition and
 launch an attack against other parts of the target infrastructure
 from there.

=====================================================================
Versions affected:

According to Enghouse Interactive the problem is located in an addon
 product delivered by Enghouse Interactive Professional Services. The
 addon utilizes OpenVZ to achieve high availability for the IVR Pro
 platform.

IVR Pro/Contact Center (VIP2000) version 9.0.3 (rel903) with OpenVZ 
 and fallback tested. 

The vendor reports that the following versions are patched:
 Same release (9.0.3), with latest release of OpenVZ fallback
 customization, is fixed

=====================================================================
Credits

This vulnerability was discovered and researched by Fredrik Soderblom
 and Peter Norin from XPD AB.

=====================================================================
History

18-11-13 Initial Discovery
22-11-13 Initial attempt to contact the vendor
23-11-13 Reply from Radek Zalewski, case is assigned to internal resource
26-11-13 Draft of the advisory sent to the vendor
27-11-13 CVE-2013-6838 is assigned
27-11-13 Enghouse Interactive notifies us that patches are ready
15-01-14 Public disclosure

=====================================================================
About XPD

XPD AB is a privately held company with Headquarters in Stockholm, Sweden.
 Established in 2002, XPD AB is an independant security consulting and
 research firm, with a focus on security and perimeter security solutions.

https://xpd.se

=====================================================================
Disclaimer and Copyright

Copyright (c) 2013-2014 XPD AB. All rights reserved.
This advisory may be distributed as long as its distribution is
 free-of-charge and proper credit is given.

The information provided in this advisory is provided "as is" without
 warranty of any kind. XPD AB disclaims all warranties, either
 express or implied, including the warranties of merchantability and
 fitness for a particular purpose. In no event shall XPD AB or
 its suppliers be liable for any damages whatsoever including direct,
 indirect, incidental, consequential, loss of business profits or
 special damages, even if XPD AB or its suppliers have been advised
 of the possibility of such damages.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJSzVtfAAoJEH47YPoA7U9kw1wP/1zDk4SUK03jTqdr44FdaK81
YLzDk5PaZ95ql7rZaD+rGrMvMykkpBiid31gu/UwMr3vYTboAn3bky2fROnbdvjB
72d5GBBxuUq6BjHyimz6zjqtRNsFfN19FHIeB9if83QON4BbRy1v7SNNST49wAC1
1dk0GUcVQOPQBRRIsP2UJLIxMGkbeFRQh/xAp9X4H9BjCnxrjoz6oj5kLHABTBnC
decFT7Pw10+M1nyE0CxXPpQ5L+y3+2yFfK8ORCeNYLU2WzC5d+LAjLSizNF3FrAT
B8ATAl+vMdgmFLV3z4/CaYbMrmsQZgZmrXU6QpvysdaaIbPaStV0v8vNXJP/K2OG
zPJyPPPIU+WbsdyJKM6WKTncx58NNw7ck74qp26H0EpG5uA6mvNQpmf5cGiZh2k0
gINzYmDCKhE4F1yBy8OMjKP7S0n6uqH1wx3WR8JoEXQxRrkncbKkLQBX6SmxSog5
sEa9t+iiEfwUU3YSEqQPFbr88YFE8MgfjyuZBAwB6sYY+H+Lr+uGgOB9Q316tnTs
zg4mVcUhjU7a0hTAh0WHC6QL7Nu4dufUQn8tzRn8vbZvqtY5nbWvwXoTB2vDWtY2
DdkeaXzKed8bnHvJzSzolUXdfYuC5w19C9iHdRbdXI6N7Vf6DYexPlL/HJdED9r0
hh1nXM2N5yeLGzt1/uGj
=hEnC
-----END PGP SIGNATURE-----