GOautodial Flaws Jeopardize Call Center Network Security

GOautodial Flaws Jeopardize Call Center Network Security

GOautodial, an open-source call center software suite with 50,000 customers worldwide, has addressed two vulnerabilities that might result in data leakage and remote code execution (RCE). The initial problem, dubbed CVE-2021-43175, was discovered by Scott Tolley of the Synopsys Cybersecurity Research Center (CyRC).

An API router takes a login, password, and action and redirects it to other PHP files that implement API operations. However, vulnerable versions of GOautodial erroneously verify the username and password, enabling the caller to authenticate with any value for these fields.

Another flaw, CVE-2021-43176, lets any authorized user at any level acquire total control over the GOautodial program on the server by enabling remote code execution. It has a high severity rating because it allows an attacker to steal data from coworkers and customers, as well as modify the program to incorporate harmful behavior.

Tolley said that the second flaw, remote code execution, lets any regular user of the program, such as a single call center employee, do pretty much whatever they want, including deleting all data, stealing all data, intercepting passwords, and falsifying communications. It means that any user at any level, or an attacker who acquires access to such a user’s account, might jeopardize the call center’s integrity.

According to researchers, versions of the GOautodial API from or before commit b951651 on September 27, 2021, including the latest publicly accessible ISO installation GOautodial-4-x86 64-Final-20191010-0150.iso, appear to be susceptible.

On September 22, Tolley informed GOautodial of the vulnerabilities, which were resolved on October 20. On November 17, Synopsys confirmed the patch, and Synopsis issued an advisory on December 7. He also revealed that the disclosure procedure with the GOautodial team went smoothly and that both vulnerabilities were swiftly addressed.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.


Share on facebook
Share on twitter
Share on linkedin