Backdoor in Auerswald Devices
Share this:
Researchers discovered multiple backdoors in a popular VoIP appliance of German manufacturer Auerswald allowing adminstrative access once infected.
Reverse engineering of the firmware image has been performed for the COMpact 5500, version 7.8A that was downloaded from the Auerswald support website. The researchers used Ghidra for their analysis, it is the open-source reverse engineering tool developed by the US National Security Agency (NSA).
The experts started investigating the password reset functionality that requests access to the web interface.The username used for authentication is compared to another string:
iVar5 = strcmp((char *)username,"Schandelah");
“Schandelah” appears to be an undocumented, special username, it is the name of a village in northern Germany where Auerswald produces their devices.
The implementation of strncpy of the manufacturer, auer_strncpy, ensures that the string is properly null-terminated, and the backdoor password actually consists of only seven characters of the MD5 hash.
$ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}' 1432d89
The backdoor password allowed the experts to reset the administrator password and gain full privileges on the PBX. Then the pen testers looked for invocation of the same password generator in other places of the code.
This branch of code is executed when the adminstrative username admin is passed.The admin password stored in the variable local_d8 is checked. If the password entered by the user does not match, it is compared again to a “fallback” password generated using the backdoor routine. The country code configured for the PBX is read out and passed as an argument.
The above issue is tracked as CVE-2021-40859 and received a CVSS score of 9.8.
Firmware Update 8.2B contains important security updates that you should definitely apply, even if you don’t need the advanced features. In addition to installing this update, you should also deactivate direct access from the Internet to the web interface for security reasons. Instead, use the Auerswald Remote Access or VPN to access remote ICT systems via the Internet.
Other vulnerabilities, a read out credentials from a single IP telephone (CVE-2021-40856), which allowed to access the PBX with limited privileges. An attacker can escalate these privileges to “sub-admin” (CVE-2021-40857) to configure the PBX. German manufacturer addressed the issue with the release of a firmware update in November 2021.
