The backdoors were detected during penetration testing by RedTeam Pentesting GmbH.
On December 20th, it was reported that a backdoor was found in the network of a US Federal Agency. Now, RedTeam Pentesting researchers have identified multiple backdoors in a commonly used VoIP (voice over Internet protocol) appliance made by the German telecom hardware manufacturer Auerswald.
SEE: German audio tech giant Sennheiser exposed 55GB of users’ data
The backdoors were detected during penetration testing, and according to RedTeam Pentesting’s researchers, attackers can quickly obtain full administrative access to the devices.
Two Backdoors Found
In their technical analysis report published on Monday, RedTeam Pentesting researchers revealed that they discovered two backdoor passwords in the firmware of the COMpact 5500R PBX. One backdoor password was for the “solution user ‘Schandelah’,” and the other was used for the “optimum-privileged user’ admin.’”
“It turns out that Schandelah is the name of a tiny village in northern Germany where Auerswald produces their devices,” the report read.
However, researchers noted that they could not identify any way to disable the backdoors. The vulnerability is tracked as CVE-2021-40859 and assigned a CVSS score of 9.8.
What is PBX?
For your information, PBX refers to Private Branch Exchange. It is a switching system, which serves as a private organization and is used to control/establish telephone calls between different telecom endpoints, such as traditional telephone sets, public switched telephone network destinations, and VoIP networks services and devices.
Problem Resolved by Auerswald
RedTeam Pentesting informed Auerswald on September 10, 2021, following a responsible disclosure practice. The German manufacturer fixed the issue in a firmware update released in November 2021. The company urges users to upgrade to the new version to stay protected.
“Firmware Update 8.2B contains important security updates that you should definitely apply, even if you don’t need the advanced features,” the company stated.
Attack Scenario
An attacker simply needs to generate the password from Schandelah’s username to obtain the serial number of the PBX. This information can be retrieved using any unauthenticated endpoint, and the attacker can easily access a web interface that lets them reset the administrator password.
Researchers identified that a fallback password is derived using the MD5 Hash algorithm for the second backdoors associated with the username Admin.
SEE: Bandwidth.com is the latest victim of nonstop DDoS attacks against VoIP
However, the difference between both backdoors is that the latter uses a two-letter country code that is suffixed to a concatenated string before creating the MD5 hash. This password also provides full privilege access to the PBX without changing the password.
“Using the backdoor, attackers are granted access to the PBX with the highest privileges, enabling them to completely compromise the device. The backdoor passwords are not documented. They secretly coexist with a documented password recovery function supported by the vendor,” researchers explained.
