exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection

Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection
Posted Jun 14, 2013
Authored by S. Viehbock | Site sec-consult.com

Siemens OpenScape Branch and OpenScape Session Border Controller products suffer from cross site scripting, statistical information disclosure, OS command injection, and file disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
SHA-256 | d411e938d89b49388f3a074efa7d56e1c24eafa0d3427639a9475e7e7b547ce3

Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130614-0 >
=======================================================================
title: Multiple vulnerabilities in Siemens OpenScape Branch
and OpenScape Session Border Controller
product: Siemens OpenScape Branch
Siemens OpenScape Session Border Controller (SBC)
vulnerable version: OpenScape Branch / SBC, all versions prior to
V2 R0.32.0 or V7 R1.7.0
fixed version: V2 R0.32.0 or V7 R1.7.0 (Branch)
V2 R0.32.0 or V7 R1.7.0 (SBC)
impact: Critical
homepage: https://www.siemens-enterprise.com/
found: 2012-09-14
by: Stefan Viehböck, Michael Heinzl, Florian Lukavsky
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"OpenScape Branch is a SIP based, Voice over IP application and appliance that
assures continuance of communication services for OpenScape Voice users in
remote branch offices. Unlike other simple survivable remote branch solutions,
OpenScape Branch provides value beyond survivability by adding important local
capabilities such as Media Server, Firewall, and Session Border Controller
(SIP Trunking). The integration of all this capability into a single solution
simplifies and reduces the complexity of a remote office installation."

Source: https://www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/openscape-branch.aspx


"OpenScape Session Border Controller is the smartest and most affordable way for
OpenScape Voice and HiPath 4000 customers to realize the cost-saving advantages
of secure SIP trunking to IP networks, remote offices and workers. Designed
with lowest total cost of ownership in mind, it is a next generation
virtualized application ready for data center deployment as part of a unified
communications solution. OpenScape Session Border Controller provides built-in
SIP-aware security capability that includes dynamic opening and closing of
firewall “pinholes” for media connections, SIP protocol validation, Denial of
Service mitigation, and network topology hiding. It also supports TLS
encryption on both the core- and access-side SIP signaling interfaces as well
as SRTP media encryption for both pass-through and termination mediation
scenarios."

Source: https://www.siemens-enterprise.com/us/products-services/voice-solutions/openscape-voice/session-border-controller.aspx


Business recommendation:
------------------------
SEC Consult has identified several vulnerabilities within the components of
the OpenScape Branch / OpenScape Session Border Controller in the course of a
very limited infrastructure audit. Very little time was spent on the affected
products. Some components have been spot-checked, while others have not been
tested at all.

Since VoIP traffic passes through the appliance, interception of phone calls
might be possible. The system can be used as an entry point for further attacks
on the VoIP infrastructure and can thus severely harm the confidentiality of
sensitive information.

The recommendation of SEC Consult is to restrict network access to the product
until a comprehensive security audit based on a security source code review has
been performed and all identified security deficiencies have been resolved by
the vendor.

The vendor recommends the implementation of the "Security Checklist for
OpenScape Branch and SBC". The specific issues mentioned here are not mitigated
by these measures.



Vulnerability overview/description:
-----------------------------------
1) Unauthenticated access to statistics / information disclosure
Unauthenticated users can access server statistics. These statistics give
detailed system information including CPU, memory and disk usage, uptime, etc.


2) Reflected Cross-Site Scripting (XSS)
Several XSS vulnerabilities were identified. These vulnerabilities e.g. enable
effective session hijacking attacks.


3) Unauthenticated local file disclosure
Unauthenticated users can read arbitrary files from the filesystem with the
privileges of the webserver. These files include configuration files containing
sensitive information, all of which might be used in further attacks on the VoIP
infrastructure.


4) Unauthenticated OS command injection
Unauthenticated users can execute arbitrary commands on the underlying
operating system with the privileges of the webserver. This can be used to get
persistent access to the affected system (eg. by planting backdoors) or
accessing all kinds of locally stored information.
The system can be used as an entry point for further attacks on the VoIP
infrastructure.


Proof of concept:
-----------------
Detailed proof of concept URLs or exploit code have been removed from this
advisory.

1) Unauthenticated access to statistics / information disclosure
The following POST request returns detailed information about the server:
<removed>
Affected script: /core/getLog.php


2) Reflected Cross-Site Scripting (XSS)
The following request executes attacker-supplied JavaScript in a victim's
browser: <removed>
Affected script: /core/handleTw.php


3) Unauthenticated local file disclosure
The following POST request shows how files can be extracted from the file
system: <removed>
Affected script: /core/getLog.php


4) Unauthenticated OS command injection
The following POST request shows how arbitrary OS commands can be executed on
the system: <removed>
Affected script: /core/getLog.php


Vulnerable / tested versions:
-----------------------------
OpenScape Branch, all versions
OpenScape SBC, all versions


Vendor contact timeline:
------------------------
2012-10-02: Delivering audit report to mutual customer
2013-03-22: Planned disclosure, but delayed since vulnerabilities were only
fixed partially
2013-06-14: Coordinated disclosure (OBSO-1306-01)


Solution:
---------
Update to one of the following versions:
OpenScape Branch: V2 R0.32.0 or V7 R1.7.0
OpenScape SBC: V2 R0.32.0 or V7 R1.7.0

Customers with OpenScape Branch V1 R4, should upgrade to V2 or higher.
If a customer is unable to upgrade as recommended at this time, an alternate upgrade to at
least V1 R4.17.0 will reduce the risk from high to medium.

A patch for V7 R0 will not be released, customers are urged to upgrade to V7 R1.

Vendor advisories are only available via an advisory newsletter service (email).
Information on this advisory is published in Siemens advisory OBSO-1306-01.
Information on how to subscribe can be found at:
https://wiki.siemens-enterprise.com/images/c/ce/Security_Policy_-_Vulnerability_Intelligence_Process.pdf


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2013


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close