Researchers discovered three vulnerabilities in Pascom Cloud Phone System (CPS ). These could be combined for a complete pre-authenticated remote code execution on affected systems.
Kerbit security researcher Daniel Eshetu said the shortcomings, when chained together, can lead to “an unauthenticated attacker gaining root on these devices. “
Pascom Cloud Phone System enables businesses to set up and manage private phone networks on different platforms. It also facilitates the maintenance and updating of virtual telephone systems.
The set of three flaws includes those stemming from an arbitrary path traversal in the web interface, a server-side request forgery (SSRF) due to an outdated third-party dependency (CVE-2019-18394), and a post-authentication command injection using a daemon service (“exd.pl”).
In other words, the vulnerabilities can be stringed in a chain-like fashion to access non-exposed endpoints by sending arbitrary GET requests to obtain the administrator password, and then use it to gain remote code execution using the scheduled task.
The exploit chain can be used to “execute commands as root”, Eshetu stated, adding that this gives Eshetu complete control over the system and allows him to easily escalate privileges. The flaws were reported to Pascom on January 3, 2022, following which patches have been released.
Customers who are self-hosting CPS as opposed to on the cloud are advised to update to the latest version (pascom Server 19. 21) as soon as possible to counter any potential threats.