Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/7/2019
01:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Bugs in Video Chat Tools Enable Remote Attackers

Lifesize is issuing a hotfix to address vulnerabilities in its enterprise collaboration devices, which could give hackers a gateway into target organizations.

Newly discovered security bugs in Lifesize videoconferencing products can be remotely exploited, giving attackers the ability to spy on a target organization or attack other devices.

Trustwave SpiderLabs security researcher Simon Kenin found the remote OS command injection vulnerabilities, which affect Lifesize Team, Lifesize Room, Lifesize Passport, and Lifesize Networker. Lifesize has a range of major clients – eBay, PayPal, and Netflix among them.

Exploitation of these flaws can give adversaries access to the products' firmware. Kenin called the bug "trivial," but it requires some hard-to-get information: Remote hackers will need the firmware code for their target devices, which can only be downloaded from the Lifesize website with a valid serial number for the specific product in mind. But firmware code isn't necessary for attackers with physical device access, says Trustwave threat intelligence manager Karl Sigler.

These bugs affect the Lifesize support page, where users can troubleshoot issues and send log files for their devices. Attackers must log in to the support interface, which often isn't difficult because many owners fail to change the default credentials that ship with Lifesize products.

"The vulnerability itself is in how they implement PHP in the Web interface to the devices," Sigler explains in an interview with Dark Reading. "Unfortunately, the PHP code is pretty poor in how it's implemented ... you can basically execute any command you want on the device using that interface."

It's a "classic programming error," Kenin wrote in a blog post on the findings. User input is passed without any sanitization to the PHP shell_exec function, which executes system commands as the Web server user. With no limit on the type of code that can be passed, attackers who know how to pass arguments to a PHP page can launch any commands they want.

With this vulnerability alone, intruders could gain a foothold on the network and execute commands on the target device to probe other machines on the network. But they also could achieve full persistence on the device with an unpatched privilege escalation bug, which was discovered in 2016 and affects the same pool of devices, Sigler says. The duo would give someone full control of the appliance, access to media, as well as access to other devices.

A Patch is En Route
Trustwave contacted Lifesize in November to begin the disclosure process, did not receive a response, and then re-established contact last month. Lifesize initially said it would not be releasing a patch because the affected devices were legacy and had end-of-life and end-of-sale dates.

It has since changed its position and will be offering a patch. In the meantime, customers using Lifesize 220 systems should contact support for a hotfix. There is no evidence the bugs have been exploited in the wild, says Sigler, and Trustwave promptly reached out to Lifesize so it could create a patch before someone takes advantage of the flaw.

"If we can find it, criminals can, too," he notes.

For companies that decide to abandon support for their legacy systems, Sigler urges making customers aware at least one year ahead of time so they can pursue upgrade or replacement options. They should also make upgrade options available so users understand the risk they're taking on by continuing to use legacy products. 

Trustwave is holding off on its release of the proof-of-concept for these vulnerabilities so users can apply the hotfix. Researcher plan to publish the PoC on Feb. 21, 2019. "At that time, we will release the PoC code to provide users, administrators, and network security professionals with the technical details and tools to validate whether they are still vulnerable," Sigler says.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.