Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/7/2019
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Bugs in Video Chat Tools Enable Remote Attackers

Lifesize is issuing a hotfix to address vulnerabilities in its enterprise collaboration devices, which could give hackers a gateway into target organizations.

Newly discovered security bugs in Lifesize videoconferencing products can be remotely exploited, giving attackers the ability to spy on a target organization or attack other devices.

Trustwave SpiderLabs security researcher Simon Kenin found the remote OS command injection vulnerabilities, which affect Lifesize Team, Lifesize Room, Lifesize Passport, and Lifesize Networker. Lifesize has a range of major clients – eBay, PayPal, and Netflix among them.

Exploitation of these flaws can give adversaries access to the products' firmware. Kenin called the bug "trivial," but it requires some hard-to-get information: Remote hackers will need the firmware code for their target devices, which can only be downloaded from the Lifesize website with a valid serial number for the specific product in mind. But firmware code isn't necessary for attackers with physical device access, says Trustwave threat intelligence manager Karl Sigler.

These bugs affect the Lifesize support page, where users can troubleshoot issues and send log files for their devices. Attackers must log in to the support interface, which often isn't difficult because many owners fail to change the default credentials that ship with Lifesize products.

"The vulnerability itself is in how they implement PHP in the Web interface to the devices," Sigler explains in an interview with Dark Reading. "Unfortunately, the PHP code is pretty poor in how it's implemented ... you can basically execute any command you want on the device using that interface."

It's a "classic programming error," Kenin wrote in a blog post on the findings. User input is passed without any sanitization to the PHP shell_exec function, which executes system commands as the Web server user. With no limit on the type of code that can be passed, attackers who know how to pass arguments to a PHP page can launch any commands they want.

With this vulnerability alone, intruders could gain a foothold on the network and execute commands on the target device to probe other machines on the network. But they also could achieve full persistence on the device with an unpatched privilege escalation bug, which was discovered in 2016 and affects the same pool of devices, Sigler says. The duo would give someone full control of the appliance, access to media, as well as access to other devices.

A Patch is En Route
Trustwave contacted Lifesize in November to begin the disclosure process, did not receive a response, and then re-established contact last month. Lifesize initially said it would not be releasing a patch because the affected devices were legacy and had end-of-life and end-of-sale dates.

It has since changed its position and will be offering a patch. In the meantime, customers using Lifesize 220 systems should contact support for a hotfix. There is no evidence the bugs have been exploited in the wild, says Sigler, and Trustwave promptly reached out to Lifesize so it could create a patch before someone takes advantage of the flaw.

"If we can find it, criminals can, too," he notes.

For companies that decide to abandon support for their legacy systems, Sigler urges making customers aware at least one year ahead of time so they can pursue upgrade or replacement options. They should also make upgrade options available so users understand the risk they're taking on by continuing to use legacy products. 

Trustwave is holding off on its release of the proof-of-concept for these vulnerabilities so users can apply the hotfix. Researcher plan to publish the PoC on Feb. 21, 2019. "At that time, we will release the PoC code to provide users, administrators, and network security professionals with the technical details and tools to validate whether they are still vulnerable," Sigler says.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...
CVE-2021-2300
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of...