-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new CVE's for Jake and Mike - Grandstream Networks
- Loading branch information
Aaron Carreras
committed
Mar 22, 2021
1 parent
2889805
commit 9329fa5
Showing
2 changed files
with
76 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # FEYE-2021-0001 | ||
| ## Description | ||
| Grandstream Networks' GRP261x VoIP phone is susceptible to authenticated command injection as the privileged user `root` in its administrative web interface. When combined with CVE-2020-25218, unauthenticated remote code execution is possible. | ||
|
|
||
| ## Impact | ||
| High - An attacker with remote network access to a GRP261x could remotely compromise the device. This could be used to install malware, modify system behavior, or stage a more serious attack. | ||
|
|
||
| ## Exploitability | ||
| High - When used in combination with CVE-2020-25218, an unauthenticated user with remote access to the administrative web interface could execute commands as the privileged user `root`. | ||
|
|
||
| ## CVE Reference | ||
| CVE-2020-25217 | ||
|
|
||
| ## Technical Details | ||
| Mandiant discovered the GRP261x is vulnerable to command injection in the following API: | ||
|
|
||
| * http(s)://\<device\>/cgi-bin/api-traceroute\_and\_ping | ||
|
|
||
| Mandiant determined that the `url` POST parameter was not properly sanitized by the server, resulting in a command injection vulnerability. | ||
|
|
||
| ## Resolution | ||
| Grandstream Networks has fixed the reported vulnerability in [version 1.0.5.27](http://firmware.grandstream.com/Release_Note_GRP261x_1.0.5.27.pdf) (October 2020) of the GRP162x software. | ||
|
|
||
| ## Discovery Credits | ||
| - Jake Valletta, FireEye Mandiant | ||
| - Michael Maturi, FireEye Mandiant | ||
|
|
||
| ## Disclosure Timeline | ||
|
|
||
| - 9 September 2020 - Issue reported to vendor | ||
| - 9 September 2020 - CVE reserved with MITRE | ||
| - 11 September 2020 - Issue confirmed by Grandstream Networks | ||
| - 30 October 2020 - Grandstream Networks Releases Patch | ||
| - 22 March 2021 - FireEye Mandiant advisory published | ||
|
|
||
| ## References | ||
|
|
||
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25217 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # FEYE-2021-0002 | ||
| ## Description | ||
| Grandstream Networks' GRP261x VoIP phone is susceptible to an authentication bypass vulnerability in its administrative web interface. When combined with CVE-2020-25217, unauthenticated remote code execution as the privileged user `root` is possible. | ||
|
|
||
| ## Impact | ||
| High - An attacker with remote network access to a GRP261x could remotely compromise the device. This could be used to install malware, modify system behavior, or stage a more serious attack. | ||
|
|
||
| ## Exploitability | ||
| High - When used in combination with CVE-2020-25217, an unauthenticated user with remote access to the administrative web interface could execute commands as the privileged user `root`. | ||
|
|
||
| ## CVE Reference | ||
| CVE-2020-25218 | ||
|
|
||
| ## Technical Details | ||
| Mandiant discovered the GRP261x is vulnerable to an authentication bypass in the following API: | ||
|
|
||
| * http(s)://\<device\>/cgi-bin/direct-login | ||
|
|
||
| Mandiant determined that HTTP GET requests to this URL were processed by the server without credentials. The server responded with a valid `session-identity` cookie for the web role `admin`, which could then be used to access the administrative web interface as the authenticated user `admin`. | ||
|
|
||
| ## Resolution | ||
| Grandstream Networks has fixed the reported vulnerability in [version 1.0.5.27](http://firmware.grandstream.com/Release_Note_GRP261x_1.0.5.27.pdf) (October 2020) of the GRP162x software. | ||
|
|
||
| ## Discovery Credits | ||
| - Jake Valletta, FireEye Mandiant | ||
| - Michael Maturi, FireEye Mandiant | ||
|
|
||
| ## Disclosure Timeline | ||
|
|
||
| - 9 September 2020 - Issue reported to vendor | ||
| - 9 September 2020 - CVE reserved with MITRE | ||
| - 11 September 2020 - Issue confirmed by Grandstream Networks | ||
| - 30 October 2020 - Grandstream Networks Releases Patch | ||
| - 22 March 2021 - FireEye Mandiant advisory published | ||
|
|
||
| ## References | ||
|
|
||
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25218 |