GOautodial vulnerabilities put call center network security at stake

Emma Woollacott December 08, 2021 at 19:59 UTC

Updated: Dec 09, 2021 10:53 UTC

Bugs now fixed were easy to exploit, but required prior authentication/network access

GOautodial, an open-source call center software suite with 50,000 users worldwide, has patched two vulnerabilities that could lead to information disclosure and remote code execution (RCE).

Discovered by Scott Tolley of Synopsys Cybersecurity Research Center (CyRC), the first bug – identified as CVE-2021-43175 – has been classified as medium severity.

An API router accepts a username, password, and action that routes to other PHP files that implement the various API functions.

However, vulnerable versions of GOautodial incorrectly validate the username and password, allowing the caller to specify any value for these parameters and successfully authenticate.

This allows the caller to name and call a second PHP file without having valid credentials for the GOautodial system.

Learn about the latest hacking news

“The first vulnerability – broken authentication on the GOautodial API – allows any attacker with network access to the GOautodial server to simply request a set of configuration data from it, without any type of user account or password. valid, explains Tolley. The daily sip.

“This configuration data includes sensitive data such as default passwords for other devices and applications on the network that an attacker could then exploit to attack other system components.”

This may include other related systems on the network, such as telephones or VoIP services.

RCE authenticated

Another vulnerability, CVE-2021-43176, allows any authenticated user at any level to execute code remotely, allowing them to have complete control over the GOautodial application on the server.

High in severity, it allows an attacker to steal data from colleagues and customers, and even rewrite the application to introduce malicious behavior.

“The second vulnerability – remote code execution – allows any regular user of the software, such as a call center employee, to do just about anything: delete all data , steal all data, intercept passwords, tamper with messages,” Tolley said.

“This is serious business because it means that any individual user at any level could compromise the integrity of the entire call center; or any attacker who gains access to such a user’s account.

DON’T FORGET TO READ Flaws in Tonga’s top-level domain left Google, Amazon and Tether web services vulnerable to takeover

According to the researchers, versions of the GOautodial API since or before the commit of b951651 on September 27, 2021, appear to be vulnerable, including the latest publicly available ISO installer GOautodial-4-x86_64-Final-20191010-0150 .iso.

“Both vulnerabilities are easy to exploit for anyone with technical skills. However, non-technical users would struggle to do this effectively,” says Tolley.

“Unfortunately, it would be easy to develop and package an easy-to-use exploit for non-technical attackers to take advantage of.”

Tolley disclosed the vulnerabilities to GOautodial on September 22 and they were patched on October 20. Synopsys committed the fix on November 17, and Synopsys released its advisory on December 7.

“The disclosure process with the GOautodial team was smooth and they quickly patched both vulnerabilities,” Tolley says.

READ MORE Drive-by RCE in Windows 10 ‘can be run with one click’

Kevin M. Risinger