During a penetration test, multiple backdoors in the firmware of a commonly used Voice over Internet Protocol (VoIP) appliance from Auerswald were uncovered, which could be exploited to get complete administrative access to devices.
“Two backdoor passwords were found in the firmware of the COMpact 5500R PBX,” researchers from RedTeam Pentesting said in a technical analysis published Monday. “One backdoor password is for the secret user ‘Schandelah’, the other can be used for the highest-privileged user ‘admin.’ No way was discovered to disable these backdoors.”
CVE-2021-40859 is the vulnerability’s identification, with a critical severity level of 9.8. Auerswald fixed the bug with a firmware upgrade (version 8.2B) published in November 2021, following a responsible disclosure on September 10. Even if you don’t require the advanced capabilities, Firmware Update 8.2B contains essential security patches that you should apply, the company said in a post without explicitly citing the issue.
A private branch exchange, or PBX, is a switching system that serves a private company. It’s used to establish and control phone conversations between telecommunication endpoints, such as traditional telephone sets, PSTN destinations, and VoIP devices or services.
The backdoor was discovered after RedTeam Pentesting began looking into a service provided by Auerswald if a client loses access to their administrator account, in which case the password associated with a privileged account can be changed by contacting the manufacturer.
According to the formal documentation, devices check for a hard-coded login “Schandelah” in addition to “sub-admin,” the account required to control the device. The German pen-testing firm’s follow-up research found that concatenating the PBX’s serial number, the text ‘r2d2,’ and the current date [in ‘DD.MM.YYYYY’ format] yields the appropriate password for this username, hashing it with the MD5 hash algorithm and taking the first seven lower-case hex chars of the result.
Simply put, all an attacker requires to generate the password for the username “Schandelah” is the PBX’s serial number, which can be easily obtained using an unauthenticated endpoint (“https://192.168.1[.]2/about state”), allowing the bad actor to gain access to a web interface that allows the administrator password to be reset.
Furthermore, the researchers claimed they discovered a second backdoor when the administrative username “admin” is used, for which a fallback password is generated programmatically using the same algorithm, with the exception that a two-letter country code is appended to the concatenated string before the MD5 hash is created. As in the previous situation, the alternative password grants complete privileged access to the PBX without the need to reset the password in the first place.