‘TANDBERG Video Communication Server Authentication Bypass Vulnerability’

Summary

This vulnerability allows for the complete bypass of authentication in the administrative web console.’

Credit:

‘The information has been provided by Jon Hart and Timothy D. Morgan.
The original article can be found at: http://www.vsecurity.com/resources/advisory/20100409-1/


Details

Vulnerable Systems:
 * Video Communication Server (VCS) version x4.2.1

Immune Systems:
 * Video Communication Server (VCS) version x4.3.0

The TANDBERG VCS web management interface utilizes custom cookies for the purpose of session management. In version x4.2.1 of the appliance firmware (and possibly earlier versions), it is possible to forge session cookies with relatively little knowledge of the appliance’s configuration.

The vulnerability lies in the files located at the following paths:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php

Routines in these files generate user session cookies in roughly the following way:

SECRET = SERVER_ADDRESS + STATIC_VALUE
HASH = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME)
COOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH

In the above pseudocode, the SERVER_ADDRESS represents the VCS system’s IP address, STATIC_VALUE represents a fixed string which is hard-coded into the application source, USERNAME is the authenticated user name, CLIENT_ADDRESS is the IP address of the user’s system, CURRENT_TIME is a simple UNIX time stamp, and ACCESS_RIGHTS is an integer denoting the level of access assigned to the user.

Note, that none of the information above is difficult to guess. Any owner of a TANDBERG VCS would have access to the STATIC_VALUE (and in fact, this value is contained in the firmware updates). All TANDBERG appliances have a default user name of ‘admin’ which has full privileges.

Workaround:
Temporary mitigation could be achieved by changing the ‘$this->secret’ constant in the following files to something unpredictable:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php

CVE Information:
CVE-2009-4509

Disclosure Timeline:
2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.
2010-04-07 TANDBERG VCS firmware version x5.1.1 released which corrected other flaws identified by VSR.
2010-04-09 VSR advisory released.’

Categories: News