close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: Multiple vulnerabilities discovered in GOautodial

Scott Tolley

Dec 07, 2021 / 2 min read

Table of Contents

Overview

Synopsys Cybersecurity Research Center (CyRC) research has discovered multiple vulnerabilities in the all-in-one call center software suite GOautodial. The suite, which has 50,000 users in call centers around the world, is open source and freely available to download, and it is also available as a paid cloud service from multiple providers. The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via unrestricted file upload.

The first issue (CVE-2021-43175: Broken authentication) falls under the A01 Broken Access Control category on the OWASP Top 10 list. This vulnerability allows any attacker with access to the internal network hosting GOautodial to steal sensitive configuration data such as default passwords from the GOautodial server, without needing any credentials such as a username or password. This data could then be used to connect to other related systems on the network such as VoIP phones or services.

The second issue (CVE-2021-43176: Local file inclusion with path traversal) allows any authenticated user at any level, including contact center employees, to perform remote code execution. This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behavior such as stealing passwords or spoofing communications (sending messages or emails that look like they come from someone else).

Affected software

Versions of the GOautodial API (https://github.com/goautodial/goAPIv2) at or prior to commit b951651 on September 27, 2021 appear to be vulnerable. This includes the latest publicly available ISO installer GOautodial-4-x86_64-Final-20191010-0150.iso.

Both vulnerabilities are patched as of commit 15a40bc on October 20, 2021.

Impact

CVE-2021-43175: Broken authentication
GOautodial exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. 

This allows the caller to name and call a second PHP file without having any valid credentials for the GOautodial system. For example, this POST request will successfully authenticate despite the credentials not being valid, and will return system settings from GOautodial:

 POST /goAPIv2/goSystemSettings/goAPI.php?
goAction=goGetSystemSettingInfo&
goPass=notarealpassword&
goUser=notarealuser&
hostname=192.168.190.1&
responsetype=json&
session_user=goadmin

Most of the individual API functions appear to contain their own additional checks on user identity, credentials, and session state, which means that they are not vulnerable to exploitation. However, goGetSystemSettingInfo.php, which leaks sensitive configuration details including system passwords, certainly is.

CVSS 3.1 base score: 5.3 (medium)
CVSS 3.1 vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVE-2021-43176: Local file inclusion with path traversal
The API router takes a user-supplied “action” parameter and appends a .php file extension to locate and load the correct PHP file to implement the API call. Vulnerable versions of GOautodial do not sanitize the user input that specifies the action. This permits an attacker to execute any PHP source file with a .php extension that is present on the disk and readable by the GOautodial web server process. Combined with CVE-2021-43175, it is possible for the attacker to do this without valid credentials.

If the attacker can upload arbitrary PHP files to the server, that would allow arbitrary code execution on the server.

Regular authenticated users of the GOautodial system—such as call center employees—can send messages including attachments to other users. These attachments are saved with their original filename in a predictable location on the server. This means that any regular authenticated user of the GOautodial system can upload and execute arbitrary PHP files on the server. 

CVSS 3.1 base score: 8.8 (high)
CVSS 3.1 vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Remediation

Synopsys recommends upgrading to GOautodial API commit 15a40bc or later.

Discovery credit

Scott Tolley, a researcher from the Synopsys Cybersecurity Research Center, discovered these vulnerabilities using the Seeker® interactive application security testing (IAST) tool, which tests for security vulnerabilities automatically during the software development life cycle (SDLC). 
Synopsys would like to commend the GOautodial team for their responsiveness and for addressing these vulnerabilities in a timely manner.

Timeline

  • September 22, 2021: Initial disclosure
  • October 20, 2021: GOautodial fixes the vulnerability
  • November 17, 2021: Synopsys validates the fix
  • December 7, 2021: Advisory published by Synopsys

Continue Reading

Introducing fAST Dynamic: Streamlining dynamic application security testing

Introducing fAST Dynamic: Streamlining dynamic application security testing

Vishrut Iyengar
By Vishrut Iyengar

Mar 19, 2024 / 3 min read

Tags: DAST, Software Integrity, Security News & Trends, Build Security into DevOps
CVE-2017-5638: The Apache Struts vulnerability explained

CVE-2017-5638: The Apache Struts vulnerability explained

Fred Bals
By Fred Bals

Mar 16, 2024 / 3 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain
2024 OSSRA Report: Outdated code risk in open source components

2024 OSSRA Report: Outdated code risk in open source components

Fred Bals
By Fred Bals

Mar 06, 2024 / 4 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain, Manage Security Risks

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security