CVE-2020-25218: Vulnerability-Disclosures/FEYE-2021-0002.md at master · mandiant/Vulnerability-Disclosures

FEYE-2021-0002****Description

Grandstream Networks’ GRP261x VoIP phone running firmware version 1.0.3.6 (Base) is susceptible to an authentication bypass vulnerability in its administrative web interface. When combined with CVE-2020-25217, unauthenticated remote code execution as the privileged user root is possible. We suspect that this was introduced prior to firmware version 1.0.3.6, but it was not verified.

Impact

High - An attacker with remote network access to a GRP261x could remotely compromise the device. This could be used to install malware, modify system behavior, or stage a more serious attack.

Exploitability

High - When used in combination with CVE-2020-25217, an unauthenticated user with remote access to the administrative web interface could execute commands as the privileged user root.

CVE Reference

CVE-2020-25218

Technical Details

Mandiant discovered the GRP261x is vulnerable to an authentication bypass in the following API:

• http(s)://<device>/cgi-bin/direct-login

Mandiant determined that HTTP GET requests to this URL were processed by the server without credentials. The server responded with a valid session-identity cookie for the web role admin, which could then be used to access the administrative web interface as the authenticated user admin.

Resolution

Grandstream Networks has fixed the reported vulnerability in version 1.0.5.27 (October 2020) of the GRP162x software.

Discovery Credits

• Jake Valletta, FireEye Mandiant
• Michael Maturi, FireEye Mandiant

Disclosure Timeline

• 9 September 2020 - Issue reported to vendor
• 9 September 2020 - CVE reserved with MITRE
• 11 September 2020 - Issue confirmed by Grandstream Networks
• 30 October 2020 - Grandstream Networks Releases Patch
• 22 March 2021 - FireEye Mandiant advisory published

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25218