RedTeam Pentesting researchers have discovered multiple vulnerabilities in a widely used VoIP (voice over Internet protocol) appliance made by the German telecommunications hardware manufacturer Auerswald.
The vulnerabilities were identified during penetration testing, and according to RedTeam Pentesting’s researchers, attackers can exploit flaws to gain full administrative access to the devices.
"Two backdoor passwords were found in the firmware of the COMpact 5500R PBX," researchers from RedTeam Pentesting explained. "One backdoor password is for the secret user 'Schandelah', the other can be used for the highest-privileged user 'admin.' No way was discovered to disable these backdoors."
The security flaw tracked as CVE-2021-40859 carries a critical severity rating of 9.8. Auerswald patched the vulnerability with a firmware upgrade (version 8.2B) published in November 2021, following a liable disclosure on September 10. "Firmware Update 8.2B contains important security updates that you should definitely apply, even if you don't need the advanced features," the company said in a post without explicitly citing the issue.
A private branch exchange, or PBX, is a switching system that serves a private firm and is used to create and manage phone calls between telecommunication endpoints, including traditional telephone sets, destinations on the public switched telephone network (PSTN), and devices or services on VoIP networks.
The vulnerability was uncovered after RedTeam Pentesting began a detailed search into a service Auerswald offers if a client loses access to their administrator account, in which case the password linked with a privileged account can be changed by contacting the manufacturer.
Specifically, the researchers found that the devices are configured to check out for a tricky-coded username "Schandelah" besides "sub-admin," the account that's important to deal with the system, according to the official documentation. "It turns out that Schandelah is the name of a tiny village in northern Germany where Auerswald produces their devices," the researchers said.
The German pen-testing firm’s follow-up research disclosed that "the corresponding password for this username is derived by concatenating the PBX's serial number, the string 'r2d2,' and the current date [in the format 'DD.MM.YYYY'], hashing it with the MD5 hash algorithm and taking the first seven lower-case hex chars of the result."