SB2019040107 - Multiple vulnerabilities in Grandstream GXP16xx VoIP phones

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2018-17565)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to Shell Metacharacter Injection in the SSH configuration interface. A remote unauthenticated attacker can execute arbitrary OS commands and gain a root shell on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2018-17564)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the "/app/war/cgi-bin/delete_CA" haserl script does not require authentication and permits to delete a previously uploaded CA certificate. A remote attacker can delete configuration parameters and gain admin access to the device.

Remediation

Install update from vendor's website.

References

• http://grandstream.com/support/firmware
• https://iridiumxor.wordpress.com/2019/01/03/three-simple-cves-for-a-good-voip-phone/