Headline
CVE-2020-25217: Vulnerability-Disclosures/FEYE-2021-0001.md at master · mandiant/Vulnerability-Disclosures
Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allows Command Injection as root in its administrative web interface.
FEYE-2021-0001****Description
Grandstream Networks’ GRP261x VoIP phone running firmware version 1.0.3.6 (Base) is susceptible to authenticated command injection as the privileged user root in its administrative web interface. When combined with CVE-2020-25218, unauthenticated remote code execution is possible. We suspect that this was introduced prior to firmware version 1.0.3.6, but it was not verified.
Impact
High - An attacker with remote network access to a GRP261x could remotely compromise the device. This could be used to install malware, modify system behavior, or stage a more serious attack.
Exploitability
High - When used in combination with CVE-2020-25218, an unauthenticated user with remote access to the administrative web interface could execute commands as the privileged user root.
CVE Reference
CVE-2020-25217
Technical Details
Mandiant discovered the GRP261x is vulnerable to command injection in the following API:
- http(s)://<device>/cgi-bin/api-traceroute_and_ping
Mandiant determined that the url POST parameter was not properly sanitized by the server, resulting in a command injection vulnerability.
Resolution
Grandstream Networks has fixed the reported vulnerability in version 1.0.5.27 (October 2020) of the GRP162x software.
Discovery Credits
- Jake Valletta, FireEye Mandiant
- Michael Maturi, FireEye Mandiant
Disclosure Timeline
- 9 September 2020 - Issue reported to vendor
- 9 September 2020 - CVE reserved with MITRE
- 11 September 2020 - Issue confirmed by Grandstream Networks
- 30 October 2020 - Grandstream Networks Releases Patch
- 22 March 2021 - FireEye Mandiant advisory published
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25217
Related news
Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allow Authentication Bypass in its administrative web interface.
Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allow Authentication Bypass in its administrative web interface.