A researcher has discovered numerous security vulnerabilities affecting Pascom Cloud Phone Systems. Exploiting the bugs could allow an unauthenticated adversary to gain root access to devices.
Pascom Phone System Vulnerabilities
Security researcher Daniel Eshetu from cybersecurity firm Kerbit shared details of three RCE vulnerabilities in Pascom Cloud Phone Systems.
As explained in a post, the researcher could exploit the three vulnerabilities in a chained manner to gain root access. Exploiting this scenario would require no authentication.
Briefly, the researcher found the following three bugs affecting Pascom system.
- CVE-2021-45968: a path traversal vulnerability Nginx to Tomcat reverse proxy requests exposed java endpoints.
- CVE-2021-45967: a server-side request forgery (SSRF) bug existed due to an outdated Openfire (XMPP server) jar. Exploiting this vulnerability, following CVE-2021-45968, allowed accessing any endpoint.
- CVE-2021-45966: a command injection vulnerability existed in a scheduled task. Exploiting this flaw with the other two would complete the remote code execution attack.
The researcher has also shared an exploit demo in his post.
Pascom Patched The Bugs
Upon discovering the vulnerabilities, Kerbit informed Pascom about the bugs in January. Consequently, the vendors released fixes with 7.20.x versions. They confirmed the same via a tweet when the researcher went ahead with publicly disclosing the flaws.
On this note, we just wanted to thank @KerbitSec for the quick and effective cooperation in ensuring we closed these vulnerabilities!
— pascom_net (@pascom_net) March 9, 2022
Hence, all users hosting the CPS should ensure updating their devices to receive the fixes.
Nonetheless, the researcher confirmed that the second vulnerability does not affect CPS hosted on clouds. But the RCE would still work.
If your CPS instance is hosted on the cloud (Provided by PasCom) then the second bug does not exist so it breaks the chain. But it’s still affected by the RCE.
Yet, that doesn’t need any input from the users since Pascom would deploy the patches automatically.
Pascom is a Germany-based cloud phone systems provider facilitating communications for businesses and individuals.