Enghouse Interactive IVR Pro (VIP2000) Remote Root

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
XPD - XPD Advisory  
https://xpd.se  
  
Enghouse Interactive IVR Pro (VIP2000) remote root  
authentication bypass Vulnerability  
  
Advisory ID: XPD-2013-001  
CVE reference: CVE-2013-6838  
Affected platforms: IVR Pro/Contact Center (VIP2000) platforms   
with OpenVZ and fallback customization applied  
Version: 9.0.3 (rel903)  
Date: 2013-November-18  
Security risk: High  
Vulnerability: IVR Pro (VIP2000) remote root authentication bypass  
Researcher: Fredrik Soderblom and Peter Norin  
Vendor Status: Notified / Patch available  
Vulnerability Disclosure Policy:  
https://xpd.se/advisories/xpd-disclosure-policy-01.txt  
Permanent URL:  
https://xpd.se/advisories/XPD-2013-001.txt  
  
=====================================================================  
Description:  
  
Vulnerable IVR Pro installations allow unauthenticated users to   
bypass authentication and login as the 'root' user on the device.  
  
The SSH private key corresponding to the following public key is  
public and present on all vulnerable appliances:  
  
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA45UvNUI2IZMrRiM77za5FrX+mWv+XI6+Atfey  
ITcCbnqz1Z0YGVoMlBqAWIIN/GEesDmJ+kgycxd06jMQXBbrb/dkqYjxDM+n3ohf0w8v8xLPc  
NtnI65AW//BKkWCAizo1t+doQO2i9WszZYyJ1ZA8V32Jt2l49d1EwQAByW3pZKBohKdDcMCvU  
IRhNzB1GdZUVB0HgOuClA5xnAkc7NNt/Wftd5SsJxOwT9dlDjBcda4+giqokWUCRqF5GEzAva  
8HiZjob8ExkNxhGfoZ5gMB7ZFdzZlLRwI3N7vSA6aJbrm2LxBp1npeQ1mpsrLvMkTrdA1GExS  
QRJQBoZBW7TyQ==  
  
Furthermore the SSH private key is not protected with a passphrase.  
  
Its fingerprint is:  
d6:07:41:f2:5c:ca:77:a5:d2:ef:d8:1b:69:1c:17:b4  
  
=====================================================================  
Impact  
  
If successful, a malicious third party can get full control of the  
device with little to no effort. The Attacker might reposition and  
launch an attack against other parts of the target infrastructure  
from there.  
  
=====================================================================  
Versions affected:  
  
According to Enghouse Interactive the problem is located in an addon  
product delivered by Enghouse Interactive Professional Services. The  
addon utilizes OpenVZ to achieve high availability for the IVR Pro  
platform.  
  
IVR Pro/Contact Center (VIP2000) version 9.0.3 (rel903) with OpenVZ   
and fallback tested.   
  
The vendor reports that the following versions are patched:  
Same release (9.0.3), with latest release of OpenVZ fallback  
customization, is fixed  
  
=====================================================================  
Credits  
  
This vulnerability was discovered and researched by Fredrik Soderblom  
and Peter Norin from XPD AB.  
  
=====================================================================  
History  
  
18-11-13 Initial Discovery  
22-11-13 Initial attempt to contact the vendor  
23-11-13 Reply from Radek Zalewski, case is assigned to internal resource  
26-11-13 Draft of the advisory sent to the vendor  
27-11-13 CVE-2013-6838 is assigned  
27-11-13 Enghouse Interactive notifies us that patches are ready  
15-01-14 Public disclosure  
  
=====================================================================  
About XPD  
  
XPD AB is a privately held company with Headquarters in Stockholm, Sweden.  
Established in 2002, XPD AB is an independant security consulting and  
research firm, with a focus on security and perimeter security solutions.  
  
https://xpd.se  
  
=====================================================================  
Disclaimer and Copyright  
  
Copyright (c) 2013-2014 XPD AB. All rights reserved.  
This advisory may be distributed as long as its distribution is  
free-of-charge and proper credit is given.  
  
The information provided in this advisory is provided "as is" without  
warranty of any kind. XPD AB disclaims all warranties, either  
express or implied, including the warranties of merchantability and  
fitness for a particular purpose. In no event shall XPD AB or  
its suppliers be liable for any damages whatsoever including direct,  
indirect, incidental, consequential, loss of business profits or  
special damages, even if XPD AB or its suppliers have been advised  
of the possibility of such damages.  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)  
Comment: GPGTools - http://gpgtools.org  
  
iQIcBAEBCAAGBQJSzVtfAAoJEH47YPoA7U9kw1wP/1zDk4SUK03jTqdr44FdaK81  
YLzDk5PaZ95ql7rZaD+rGrMvMykkpBiid31gu/UwMr3vYTboAn3bky2fROnbdvjB  
72d5GBBxuUq6BjHyimz6zjqtRNsFfN19FHIeB9if83QON4BbRy1v7SNNST49wAC1  
1dk0GUcVQOPQBRRIsP2UJLIxMGkbeFRQh/xAp9X4H9BjCnxrjoz6oj5kLHABTBnC  
decFT7Pw10+M1nyE0CxXPpQ5L+y3+2yFfK8ORCeNYLU2WzC5d+LAjLSizNF3FrAT  
B8ATAl+vMdgmFLV3z4/CaYbMrmsQZgZmrXU6QpvysdaaIbPaStV0v8vNXJP/K2OG  
zPJyPPPIU+WbsdyJKM6WKTncx58NNw7ck74qp26H0EpG5uA6mvNQpmf5cGiZh2k0  
gINzYmDCKhE4F1yBy8OMjKP7S0n6uqH1wx3WR8JoEXQxRrkncbKkLQBX6SmxSog5  
sEa9t+iiEfwUU3YSEqQPFbr88YFE8MgfjyuZBAwB6sYY+H+Lr+uGgOB9Q316tnTs  
zg4mVcUhjU7a0hTAh0WHC6QL7Nu4dufUQn8tzRn8vbZvqtY5nbWvwXoTB2vDWtY2  
DdkeaXzKed8bnHvJzSzolUXdfYuC5w19C9iHdRbdXI6N7Vf6DYexPlL/HJdED9r0  
hh1nXM2N5yeLGzt1/uGj  
=hEnC  
-----END PGP SIGNATURE-----  
  
  
`