The bugs that are now patched are easy to exploit, but require prior authentication/network access
GOautodial, an open source call center software suite with 50,000 users worldwide, has patched two vulnerabilities that may lead to information disclosure and remote code execution (RCE).
Discovered by Scott Tolley of Synopsys Cyber Security Research Center (CyRC), the first vulnerability-tracked as CVE-2021-43175 – Has been rated as medium severity.
The API router accepts user names, passwords, and routes to other PHP files that implement various API functions.
However, the vulnerable version of GOautodial incorrectly validates the username and password, allowing the caller to specify any value for these parameters and successfully authenticate.
This allows the caller to name and call the second PHP file without any valid GOautodial system credentials.
Read more latest hacker news
“The first vulnerability-the broken authentication on the GOautodial API-allows any network visitor who can access the GOautodial server to simply request a set of configuration data from it, without any type of valid user account or password, Tory Say Drink it every day.
“These configuration data include sensitive data, such as the default passwords of other devices and applications on the network. Attackers can use this data to attack other components of the system.”
This may include other related systems on the network, such as VoIP phones or services.
Certified RCE
Another loophole, CVE-2021-43176, Allows any authenticated user at any level to execute remote code, allowing them to fully control the GOautodial application on the server.
It is rated as high severity, allowing attackers to steal data from colleagues and customers, and even rewrite applications to introduce malicious behavior.
“The second vulnerability-remote code execution-allows any ordinary user of the software, such as personal call center workers, to do almost anything they like: delete all data, steal all data, intercept passwords, forge messages, “Tory said.
“This is a serious matter because it means that any individual user at any level may compromise the integrity of the entire call center; or any attacker who gains access to such user accounts.”
Don’t forget to read Flaws in Tonga’s top-level domains make Google, Amazon, and Tether web services vulnerable to acquisition
According to researchers, GOautodial API versions submitted on September 27, 2021 or earlier appear to be vulnerable, including the latest public ISO installer GOautodial-4-x86_64-Final-20191010-0150.iso.
“For anyone with any technical ability, these two vulnerabilities are easy to exploit. However, it is difficult for non-technical users to do this effectively,” Tory said.
“Unfortunately, it is easy to develop and package an easy-to-use vulnerability for non-technical attackers to exploit.”
Tolley disclosed these vulnerabilities to GOautodial on September 22, and fixed them on October 20. Synopsys verified the fix on November 17, Synopsis released its consult December 7.
“The disclosure process with the GOautodial team went smoothly, and they quickly patched these two vulnerabilities,” Tory said.
read more Drive-by RCE in Windows 10 “Just click to execute”
