SEC Consult Vulnerability Lab Security Advisory < 20130614-0 >
=======================================================================
              title: Multiple vulnerabilities in Siemens OpenScape Branch
                     and OpenScape Session Border Controller
            product: Siemens OpenScape Branch
                     Siemens OpenScape Session Border Controller (SBC)
 vulnerable version: OpenScape Branch / SBC, all versions prior to
                     V2 R0.32.0 or V7 R1.7.0
      fixed version: V2 R0.32.0 or V7 R1.7.0 (Branch)
                     V2 R0.32.0 or V7 R1.7.0 (SBC)
             impact: Critical
           homepage: http://www.siemens-enterprise.com/
              found: 2012-09-14
                 by: Stefan Viehböck, Michael Heinzl, Florian Lukavsky
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com 
=======================================================================

Vendor description:
-------------------
"OpenScape Branch is a SIP based, Voice over IP application and appliance that
assures continuance of communication services for OpenScape Voice users in
remote branch offices. Unlike other simple survivable remote branch solutions,
OpenScape Branch provides value beyond survivability by adding important local
capabilities such as Media Server, Firewall, and Session Border Controller
(SIP Trunking). The integration of all this capability into a single solution
simplifies and reduces the complexity of a remote office installation."

Source: http://www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/openscape-branch.aspx


"OpenScape Session Border Controller is the smartest and most affordable way for
OpenScape Voice and HiPath 4000 customers to realize the cost-saving advantages
of secure SIP trunking to IP networks, remote offices and workers. Designed
with lowest total cost of ownership in mind, it is a next generation
virtualized application ready for data center deployment as part of a unified
communications solution. OpenScape Session Border Controller provides built-in
SIP-aware security capability that includes dynamic opening and closing of
firewall “pinholes” for media connections, SIP protocol validation, Denial of
Service mitigation, and network topology hiding. It also supports TLS
encryption on both the core- and access-side SIP signaling interfaces as well
as SRTP media encryption for both pass-through and termination mediation
scenarios."

Source: http://www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/session-border-controller.aspx


Business recommendation:
------------------------
SEC Consult has identified several vulnerabilities within the components of
the OpenScape Branch / OpenScape Session Border Controller in the course of a
very limited infrastructure audit. Very little time was spent on the affected
products. Some components have been spot-checked, while others have not been
tested at all.

Since VoIP traffic passes through the appliance, interception of phone calls
might be possible. The system can be used as an entry point for further attacks
on the VoIP infrastructure and can thus severely harm the confidentiality of 
sensitive information.

The recommendation of SEC Consult is to restrict network access to the product 
until a comprehensive security audit based on a security source code review has 
been performed and all identified security deficiencies have been resolved by 
the vendor.

The vendor recommends the implementation of the "Security Checklist for
OpenScape Branch and SBC". The specific issues mentioned here are not mitigated
by these measures.



Vulnerability overview/description:
-----------------------------------
1) Unauthenticated access to statistics / information disclosure
Unauthenticated users can access server statistics. These statistics give
detailed system information including CPU, memory and disk usage, uptime, etc.


2) Reflected Cross-Site Scripting (XSS)
Several XSS vulnerabilities were identified. These vulnerabilities e.g. enable
effective session hijacking attacks.


3) Unauthenticated local file disclosure
Unauthenticated users can read arbitrary files from the filesystem with the
privileges of the webserver. These files include configuration files containing
sensitive information, all of which might be used in further attacks on the VoIP
infrastructure.


4) Unauthenticated OS command injection
Unauthenticated users can execute arbitrary commands on the underlying
operating system with the privileges of the webserver. This can be used to get
persistent access to the affected system (eg. by planting backdoors) or
accessing all kinds of locally stored information.
The system can be used as an entry point for further attacks on the VoIP
infrastructure.


Proof of concept:
-----------------
Detailed proof of concept URLs or exploit code have been removed from this
advisory.

1) Unauthenticated access to statistics / information disclosure
The following POST request returns detailed information about the server:
<removed>
Affected script: /core/getLog.php


2) Reflected Cross-Site Scripting (XSS)
The following request executes attacker-supplied JavaScript in a victim's
browser: <removed>
Affected script: /core/handleTw.php


3) Unauthenticated local file disclosure
The following POST request shows how files can be extracted from the file
system: <removed>
Affected script: /core/getLog.php


4) Unauthenticated OS command injection
The following POST request shows how arbitrary OS commands can be executed on
the system: <removed>
Affected script: /core/getLog.php


Vulnerable / tested versions:
-----------------------------
OpenScape Branch, all versions
OpenScape SBC, all versions


Vendor contact timeline:
------------------------
2012-10-02: Delivering audit report to mutual customer
2013-03-22: Planned disclosure, but delayed since vulnerabilities were only
            fixed partially
2013-06-14: Coordinated disclosure (OBSO-1306-01)


Solution:
---------
Update to one of the following versions:
OpenScape Branch: V2 R0.32.0 or V7 R1.7.0
OpenScape SBC: V2 R0.32.0 or V7 R1.7.0

Customers with OpenScape Branch V1 R4, should upgrade to V2 or higher.
If a customer is unable to upgrade as recommended at this time, an alternate upgrade to at 
least V1 R4.17.0 will reduce the risk from high to medium.

A patch for V7 R0 will not be released, customers are urged to upgrade to V7 R1.

Vendor advisories are only available via an advisory newsletter service (email).
Information on this advisory is published in Siemens advisory OBSO-1306-01.
Information on how to subscribe can be found at:
http://wiki.siemens-enterprise.com/images/c/ce/Security_Policy_-_Vulnerability_Intelligence_Process.pdf


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2013