Multiple vulnerabilities in Siemens OpenScape Branch

SEC Consult Vulnerability Lab Security Advisory < 20130614-0 >

=======================================================================

title: Multiple vulnerabilities in Siemens OpenScape Branch

and OpenScape Session Border Controller

product: Siemens OpenScape Branch

Siemens OpenScape Session Border Controller (SBC)

vulnerable version: OpenScape Branch / SBC, all versions prior to

V2 R0.32.0 or V7 R1.7.0

fixed version: V2 R0.32.0 or V7 R1.7.0 (Branch)

V2 R0.32.0 or V7 R1.7.0 (SBC)

impact: Critical

homepage: www.siemens-enterprise.com

found: 2012-09-14

by: Stefan Viehböck, Michael Heinzl, Florian Lukavsky

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"OpenScape Branch is a SIP based, Voice over IP application and appliance that

assures continuance of communication services for OpenScape Voice users in

remote branch offices. Unlike other simple survivable remote branch solutions,

OpenScape Branch provides value beyond survivability by adding important local

capabilities such as Media Server, Firewall, and Session Border Controller

(SIP Trunking). The integration of all this capability into a single solution

simplifies and reduces the complexity of a remote office installation."

Source: www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/openscape-branch.aspx

 

"OpenScape Session Border Controller is the smartest and most affordable way for

OpenScape Voice and HiPath 4000 customers to realize the cost-saving advantages

of secure SIP trunking to IP networks, remote offices and workers. Designed

with lowest total cost of ownership in mind, it is a next generation

virtualized application ready for data center deployment as part of a unified

communications solution. OpenScape Session Border Controller provides built-in

SIP-aware security capability that includes dynamic opening and closing of

firewall “pinholes” for media connections, SIP protocol validation, Denial of

Service mitigation, and network topology hiding. It also supports TLS

encryption on both the core- and access-side SIP signaling interfaces as well

as SRTP media encryption for both pass-through and termination mediation

scenarios."

Source: www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/session-border-controller.aspx

 

Business recommendation:

------------------------

SEC Consult has identified several vulnerabilities within the components of

the OpenScape Branch / OpenScape Session Border Controller in the course of a

very limited infrastructure audit. Very little time was spent on the affected

products. Some components have been spot-checked, while others have not been

tested at all.

Since VoIP traffic passes through the appliance, interception of phone calls

might be possible. The system can be used as an entry point for further attacks

on the VoIP infrastructure and can thus severely harm the confidentiality of

sensitive information.

The recommendation of SEC Consult is to restrict network access to the product

until a comprehensive security audit based on a security source code review has

been performed and all identified security deficiencies have been resolved by

the vendor.

The vendor recommends the implementation of the "Security Checklist for

OpenScape Branch and SBC". The specific issues mentioned here are not mitigated

by these measures.

 

Vulnerability overview/description:

-----------------------------------

1) Unauthenticated access to statistics / information disclosure

Unauthenticated users can access server statistics. These statistics give

detailed system information including CPU, memory and disk usage, uptime, etc.

 

2) Reflected Cross-Site Scripting (XSS)

Several XSS vulnerabilities were identified. These vulnerabilities e.g. enable

effective session hijacking attacks.

 

3) Unauthenticated local file disclosure

Unauthenticated users can read arbitrary files from the filesystem with the

privileges of the webserver. These files include configuration files containing

sensitive information, all of which might be used in further attacks on the VoIP

infrastructure.

 

4) Unauthenticated OS command injection

Unauthenticated users can execute arbitrary commands on the underlying

operating system with the privileges of the webserver. This can be used to get

persistent access to the affected system (eg. by planting backdoors) or

accessing all kinds of locally stored information.

The system can be used as an entry point for further attacks on the VoIP

infrastructure.

 

Proof of concept:

-----------------

Detailed proof of concept URLs or exploit code have been removed from this

advisory.

1) Unauthenticated access to statistics / information disclosure

The following POST request returns detailed information about the server:

 

<removed>

Affected script: /core/getLog.php

 

2) Reflected Cross-Site Scripting (XSS)

The following request executes attacker-supplied JavaScript in a victim's

browser: <removed>

Affected script: /core/handleTw.php

 

3) Unauthenticated local file disclosure

The following POST request shows how files can be extracted from the file

system: <removed>

Affected script: /core/getLog.php

 

4) Unauthenticated OS command injection

The following POST request shows how arbitrary OS commands can be executed on

the system: <removed>

 

Affected script: /core/getLog.php

 

Vulnerable / tested versions:

-----------------------------

OpenScape Branch, all versions

OpenScape SBC, all versions

 

Vendor contact timeline:

------------------------

2012-10-02: Delivering audit report to mutual customer

2013-03-22: Planned disclosure, but delayed since vulnerabilities were only

fixed partially

2013-06-14: Coordinated disclosure (OBSO-1306-01)

 

Solution:

---------

Update to one of the following versions:

OpenScape Branch: V2 R0.32.0 or V7 R1.7.0

OpenScape SBC: V2 R0.32.0 or V7 R1.7.0

Customers with OpenScape Branch V1 R4, should upgrade to V2 or higher.

If a customer is unable to upgrade as recommended at this time, an alternate upgrade to at

least V1 R4.17.0 will reduce the risk from high to medium.

A patch for V7 R0 will not be released, customers are urged to upgrade to V7 R1.

Vendor advisories are only available via an advisory newsletter service (email).

Information on this advisory is published in Siemens advisory OBSO-1306-01.

Information on how to subscribe can be found at:

wiki.siemens-enterprise.com/images/c/ce/Security_Policy_-_Vulnerability_Intelligence_Process.pdf

 

Workaround:

-----------

No workaround available.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

EOF Stefan Viehböck / @2013