Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection

`SEC Consult Vulnerability Lab Security Advisory < 20130614-0 >  
=======================================================================  
title: Multiple vulnerabilities in Siemens OpenScape Branch  
and OpenScape Session Border Controller  
product: Siemens OpenScape Branch  
Siemens OpenScape Session Border Controller (SBC)  
vulnerable version: OpenScape Branch / SBC, all versions prior to  
V2 R0.32.0 or V7 R1.7.0  
fixed version: V2 R0.32.0 or V7 R1.7.0 (Branch)  
V2 R0.32.0 or V7 R1.7.0 (SBC)  
impact: Critical  
homepage: http://www.siemens-enterprise.com/  
found: 2012-09-14  
by: Stefan Viehböck, Michael Heinzl, Florian Lukavsky  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com   
=======================================================================  
  
Vendor description:  
-------------------  
"OpenScape Branch is a SIP based, Voice over IP application and appliance that  
assures continuance of communication services for OpenScape Voice users in  
remote branch offices. Unlike other simple survivable remote branch solutions,  
OpenScape Branch provides value beyond survivability by adding important local  
capabilities such as Media Server, Firewall, and Session Border Controller  
(SIP Trunking). The integration of all this capability into a single solution  
simplifies and reduces the complexity of a remote office installation."  
  
Source: http://www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/openscape-branch.aspx  
  
  
"OpenScape Session Border Controller is the smartest and most affordable way for  
OpenScape Voice and HiPath 4000 customers to realize the cost-saving advantages  
of secure SIP trunking to IP networks, remote offices and workers. Designed  
with lowest total cost of ownership in mind, it is a next generation  
virtualized application ready for data center deployment as part of a unified  
communications solution. OpenScape Session Border Controller provides built-in  
SIP-aware security capability that includes dynamic opening and closing of  
firewall “pinholes” for media connections, SIP protocol validation, Denial of  
Service mitigation, and network topology hiding. It also supports TLS  
encryption on both the core- and access-side SIP signaling interfaces as well  
as SRTP media encryption for both pass-through and termination mediation  
scenarios."  
  
Source: http://www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/session-border-controller.aspx  
  
  
Business recommendation:  
------------------------  
SEC Consult has identified several vulnerabilities within the components of  
the OpenScape Branch / OpenScape Session Border Controller in the course of a  
very limited infrastructure audit. Very little time was spent on the affected  
products. Some components have been spot-checked, while others have not been  
tested at all.  
  
Since VoIP traffic passes through the appliance, interception of phone calls  
might be possible. The system can be used as an entry point for further attacks  
on the VoIP infrastructure and can thus severely harm the confidentiality of   
sensitive information.  
  
The recommendation of SEC Consult is to restrict network access to the product   
until a comprehensive security audit based on a security source code review has   
been performed and all identified security deficiencies have been resolved by   
the vendor.  
  
The vendor recommends the implementation of the "Security Checklist for  
OpenScape Branch and SBC". The specific issues mentioned here are not mitigated  
by these measures.  
  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Unauthenticated access to statistics / information disclosure  
Unauthenticated users can access server statistics. These statistics give  
detailed system information including CPU, memory and disk usage, uptime, etc.  
  
  
2) Reflected Cross-Site Scripting (XSS)  
Several XSS vulnerabilities were identified. These vulnerabilities e.g. enable  
effective session hijacking attacks.  
  
  
3) Unauthenticated local file disclosure  
Unauthenticated users can read arbitrary files from the filesystem with the  
privileges of the webserver. These files include configuration files containing  
sensitive information, all of which might be used in further attacks on the VoIP  
infrastructure.  
  
  
4) Unauthenticated OS command injection  
Unauthenticated users can execute arbitrary commands on the underlying  
operating system with the privileges of the webserver. This can be used to get  
persistent access to the affected system (eg. by planting backdoors) or  
accessing all kinds of locally stored information.  
The system can be used as an entry point for further attacks on the VoIP  
infrastructure.  
  
  
Proof of concept:  
-----------------  
Detailed proof of concept URLs or exploit code have been removed from this  
advisory.  
  
1) Unauthenticated access to statistics / information disclosure  
The following POST request returns detailed information about the server:  
<removed>  
Affected script: /core/getLog.php  
  
  
2) Reflected Cross-Site Scripting (XSS)  
The following request executes attacker-supplied JavaScript in a victim's  
browser: <removed>  
Affected script: /core/handleTw.php  
  
  
3) Unauthenticated local file disclosure  
The following POST request shows how files can be extracted from the file  
system: <removed>  
Affected script: /core/getLog.php  
  
  
4) Unauthenticated OS command injection  
The following POST request shows how arbitrary OS commands can be executed on  
the system: <removed>  
Affected script: /core/getLog.php  
  
  
Vulnerable / tested versions:  
-----------------------------  
OpenScape Branch, all versions  
OpenScape SBC, all versions  
  
  
Vendor contact timeline:  
------------------------  
2012-10-02: Delivering audit report to mutual customer  
2013-03-22: Planned disclosure, but delayed since vulnerabilities were only  
fixed partially  
2013-06-14: Coordinated disclosure (OBSO-1306-01)  
  
  
Solution:  
---------  
Update to one of the following versions:  
OpenScape Branch: V2 R0.32.0 or V7 R1.7.0  
OpenScape SBC: V2 R0.32.0 or V7 R1.7.0  
  
Customers with OpenScape Branch V1 R4, should upgrade to V2 or higher.  
If a customer is unable to upgrade as recommended at this time, an alternate upgrade to at   
least V1 R4.17.0 will reduce the risk from high to medium.  
  
A patch for V7 R0 will not be released, customers are urged to upgrade to V7 R1.  
  
Vendor advisories are only available via an advisory newsletter service (email).  
Information on this advisory is published in Siemens advisory OBSO-1306-01.  
Information on how to subscribe can be found at:  
http://wiki.siemens-enterprise.com/images/c/ce/Security_Policy_-_Vulnerability_Intelligence_Process.pdf  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Stefan Viehböck / @2013  
  
  
`