Pascom's Cloud Phone System has been completely compromised since a combination of three unique vulnerabilities was discovered by security researchers. Daniel Eshetu of Ethiopian infosec firm Kerbit utilized a trio of less critical security issues to gain full pre-authenticated remote code execution (RCE) on the business-focused Voice over IP (VoIP) and generic communication platform.
A path traversal vulnerability, a web server request forgery (SSRF) fault in an arbitrary piece of software, and a post-authentication RCE flaw were the three components of the successful exploit.
The Pascom Cloud Phone Software is a complete collaboration and communication solution which enables enterprises to host and build up private telephone networks across several platforms, as well as manage, maintain, and upgrade virtual phone systems.
According to the company's LinkedIn, "Pascom, which was founded in 1997 and is the creator of the unique pascom IP phone system software, has over 20 years of expertise providing custom VoIP telecommunications and network infrastructure solutions. By offering organizations a unique, highly professional software-based IP PBX solution, our VoIP phone systems help them add value to the communications."
An arbitrary path traversal flaw in the web interface, a server-side request forgery (SSRF) owing to an outdated third-party dependency (CVE-2019-18394), and a post-authentication command injection utilizing a daemon service are among the three flaws ("exd.pl").
- The SSRF issue was caused by an out-of-date Openfire (XMPP server) jar it was vulnerable to CVE-2021-45967. This is related to CVE-2019-18394, a vulnerability in Openfire's technology that was found three years ago.
- Instant messaging, presence, and contact list functions are all handled by XMPP, an open communication protocol.
- The most recent flaw was command injection in a scheduled task (CVE-2021-45966).
To look at it another way, the vulnerabilities can be chained together to acquire access to non-exposed endpoints by sending arbitrary GET requests to obtain the administrator password, then utilizing those passwords to gain remote code execution via the scheduled job.
"This provides users full control of the device and an easy means to escalate privileges," Daniel Eshetu said, adding the attack chain may be used "to execute commands as root." The issues were reported to Pascom on January 3, 2022, and patches were released as a result. Customers who host CPS should update to the most recent version (pascom Server 19.21) as soon as possible to avoid any potential dangers.
