-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 XPD - XPD Advisory https://xpd.se Enghouse Interactive IVR Pro (VIP2000) remote root authentication bypass Vulnerability Advisory ID: XPD-2013-001 CVE reference: CVE-2013-6838 Affected platforms: IVR Pro/Contact Center (VIP2000) platforms with OpenVZ and fallback customization applied Version: 9.0.3 (rel903) Date: 2013-November-18 Security risk: High Vulnerability: IVR Pro (VIP2000) remote root authentication bypass Researcher: Fredrik Soderblom and Peter Norin Vendor Status: Notified / Patch available Vulnerability Disclosure Policy: https://xpd.se/advisories/xpd-disclosure-policy-01.txt Permanent URL: https://xpd.se/advisories/XPD-2013-001.txt ===================================================================== Description: Vulnerable IVR Pro installations allow unauthenticated users to bypass authentication and login as the 'root' user on the device. The SSH private key corresponding to the following public key is public and present on all vulnerable appliances: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA45UvNUI2IZMrRiM77za5FrX+mWv+XI6+Atfey ITcCbnqz1Z0YGVoMlBqAWIIN/GEesDmJ+kgycxd06jMQXBbrb/dkqYjxDM+n3ohf0w8v8xLPc NtnI65AW//BKkWCAizo1t+doQO2i9WszZYyJ1ZA8V32Jt2l49d1EwQAByW3pZKBohKdDcMCvU IRhNzB1GdZUVB0HgOuClA5xnAkc7NNt/Wftd5SsJxOwT9dlDjBcda4+giqokWUCRqF5GEzAva 8HiZjob8ExkNxhGfoZ5gMB7ZFdzZlLRwI3N7vSA6aJbrm2LxBp1npeQ1mpsrLvMkTrdA1GExS QRJQBoZBW7TyQ== Furthermore the SSH private key is not protected with a passphrase. Its fingerprint is: d6:07:41:f2:5c:ca:77:a5:d2:ef:d8:1b:69:1c:17:b4 ===================================================================== Impact If successful, a malicious third party can get full control of the device with little to no effort. The Attacker might reposition and launch an attack against other parts of the target infrastructure from there. ===================================================================== Versions affected: According to Enghouse Interactive the problem is located in an addon product delivered by Enghouse Interactive Professional Services. The addon utilizes OpenVZ to achieve high availability for the IVR Pro platform. IVR Pro/Contact Center (VIP2000) version 9.0.3 (rel903) with OpenVZ and fallback tested. The vendor reports that the following versions are patched: Same release (9.0.3), with latest release of OpenVZ fallback customization, is fixed ===================================================================== Credits This vulnerability was discovered and researched by Fredrik Soderblom and Peter Norin from XPD AB. ===================================================================== History 18-11-13 Initial Discovery 22-11-13 Initial attempt to contact the vendor 23-11-13 Reply from Radek Zalewski, case is assigned to internal resource 26-11-13 Draft of the advisory sent to the vendor 27-11-13 CVE-2013-6838 is assigned 27-11-13 Enghouse Interactive notifies us that patches are ready 15-01-14 Public disclosure ===================================================================== About XPD XPD AB is a privately held company with Headquarters in Stockholm, Sweden. Established in 2002, XPD AB is an independant security consulting and research firm, with a focus on security and perimeter security solutions. https://xpd.se ===================================================================== Disclaimer and Copyright Copyright (c) 2013-2014 XPD AB. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. The information provided in this advisory is provided "as is" without warranty of any kind. XPD AB disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall XPD AB or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if XPD AB or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJSzVtfAAoJEH47YPoA7U9kw1wP/1zDk4SUK03jTqdr44FdaK81 YLzDk5PaZ95ql7rZaD+rGrMvMykkpBiid31gu/UwMr3vYTboAn3bky2fROnbdvjB 72d5GBBxuUq6BjHyimz6zjqtRNsFfN19FHIeB9if83QON4BbRy1v7SNNST49wAC1 1dk0GUcVQOPQBRRIsP2UJLIxMGkbeFRQh/xAp9X4H9BjCnxrjoz6oj5kLHABTBnC decFT7Pw10+M1nyE0CxXPpQ5L+y3+2yFfK8ORCeNYLU2WzC5d+LAjLSizNF3FrAT B8ATAl+vMdgmFLV3z4/CaYbMrmsQZgZmrXU6QpvysdaaIbPaStV0v8vNXJP/K2OG zPJyPPPIU+WbsdyJKM6WKTncx58NNw7ck74qp26H0EpG5uA6mvNQpmf5cGiZh2k0 gINzYmDCKhE4F1yBy8OMjKP7S0n6uqH1wx3WR8JoEXQxRrkncbKkLQBX6SmxSog5 sEa9t+iiEfwUU3YSEqQPFbr88YFE8MgfjyuZBAwB6sYY+H+Lr+uGgOB9Q316tnTs zg4mVcUhjU7a0hTAh0WHC6QL7Nu4dufUQn8tzRn8vbZvqtY5nbWvwXoTB2vDWtY2 DdkeaXzKed8bnHvJzSzolUXdfYuC5w19C9iHdRbdXI6N7Vf6DYexPlL/HJdED9r0 hh1nXM2N5yeLGzt1/uGj =hEnC -----END PGP SIGNATURE-----