Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/7/2019
01:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Bugs in Video Chat Tools Enable Remote Attackers

Lifesize is issuing a hotfix to address vulnerabilities in its enterprise collaboration devices, which could give hackers a gateway into target organizations.

Newly discovered security bugs in Lifesize videoconferencing products can be remotely exploited, giving attackers the ability to spy on a target organization or attack other devices.

Trustwave SpiderLabs security researcher Simon Kenin found the remote OS command injection vulnerabilities, which affect Lifesize Team, Lifesize Room, Lifesize Passport, and Lifesize Networker. Lifesize has a range of major clients – eBay, PayPal, and Netflix among them.

Exploitation of these flaws can give adversaries access to the products' firmware. Kenin called the bug "trivial," but it requires some hard-to-get information: Remote hackers will need the firmware code for their target devices, which can only be downloaded from the Lifesize website with a valid serial number for the specific product in mind. But firmware code isn't necessary for attackers with physical device access, says Trustwave threat intelligence manager Karl Sigler.

These bugs affect the Lifesize support page, where users can troubleshoot issues and send log files for their devices. Attackers must log in to the support interface, which often isn't difficult because many owners fail to change the default credentials that ship with Lifesize products.

"The vulnerability itself is in how they implement PHP in the Web interface to the devices," Sigler explains in an interview with Dark Reading. "Unfortunately, the PHP code is pretty poor in how it's implemented ... you can basically execute any command you want on the device using that interface."

It's a "classic programming error," Kenin wrote in a blog post on the findings. User input is passed without any sanitization to the PHP shell_exec function, which executes system commands as the Web server user. With no limit on the type of code that can be passed, attackers who know how to pass arguments to a PHP page can launch any commands they want.

With this vulnerability alone, intruders could gain a foothold on the network and execute commands on the target device to probe other machines on the network. But they also could achieve full persistence on the device with an unpatched privilege escalation bug, which was discovered in 2016 and affects the same pool of devices, Sigler says. The duo would give someone full control of the appliance, access to media, as well as access to other devices.

A Patch is En Route
Trustwave contacted Lifesize in November to begin the disclosure process, did not receive a response, and then re-established contact last month. Lifesize initially said it would not be releasing a patch because the affected devices were legacy and had end-of-life and end-of-sale dates.

It has since changed its position and will be offering a patch. In the meantime, customers using Lifesize 220 systems should contact support for a hotfix. There is no evidence the bugs have been exploited in the wild, says Sigler, and Trustwave promptly reached out to Lifesize so it could create a patch before someone takes advantage of the flaw.

"If we can find it, criminals can, too," he notes.

For companies that decide to abandon support for their legacy systems, Sigler urges making customers aware at least one year ahead of time so they can pursue upgrade or replacement options. They should also make upgrade options available so users understand the risk they're taking on by continuing to use legacy products. 

Trustwave is holding off on its release of the proof-of-concept for these vulnerabilities so users can apply the hotfix. Researcher plan to publish the PoC on Feb. 21, 2019. "At that time, we will release the PoC code to provide users, administrators, and network security professionals with the technical details and tools to validate whether they are still vulnerable," Sigler says.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15224
PUBLISHED: 2019-08-19
The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
CVE-2019-15225
PUBLISHED: 2019-08-19
In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
CVE-2019-15223
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
CVE-2019-15211
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
CVE-2019-15212
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.