Recently, cybersecurity researchers have discovered three security weaknesses in the Pascom Cloud Phone System (CPS). These flaws might be exploited to allow for complete pre-authenticated remote code execution on impacted devices. According to Kerbit security researcher Daniel Eshetu, the vulnerabilities, when linked together, might cause “an unauthenticated attacker can get root on these devices.”
The Pascom Cloud Phone System is an integrated collaboration and communication solution that enables enterprises to host and build up private telephone networks across several platforms, as well as manage, maintain, and upgrade virtual phone systems. An arbitrary path traversal weakness in the web interface, a server-side request forgery (SSRF) owing to an outdated third-party dependency (CVE-2019-18394), and a post-authentication command injection employing a daemon service are among the three issues (“exd.pl”).
To put it another way, the vulnerabilities may be chained together to acquire access to non-exposed endpoints by making arbitrary GET requests to obtain the administrator password, then exploiting that password to gain remote code execution via the scheduled task.
Eshetu said the exploit chain might be used “to execute commands as root.” He further added that “this gives us full control of the machine and an easy way to escalate privileges.” The vulnerabilities were reported to Pascom on January 3, 2022, and fixes were provided as a result.
Customers that host CPS on their own rather than in the cloud should update to the most recent version (pascom Server 19.21) as soon as possible. Doing so will help avoid any potential threats.