Phone re-assignment and other configuration changes can still be made and pushed from the Fuze server side. This may impact a small number of users, who should work with Fuze support to resolve. If any handsets did not receive these updates, users would not be able to perform some actions from the handset directly, such as re-assigning to a new user. After this update was pushed, Fuze's servers were configured to deny unauthenticated requests, as well as requests made over HTTP. Handsets were also configured to use TLS for future communication with the portal at that time. Hashed passwords were pushed out by Fuze to customer handsets during a daily required update check. No user action is required to remediate these two issues. Remediationįuze addressed R7-2017-07.1 on Apby requiring password authentication to access the TPN portal ( ), and R7-2017-07.2 on by encrypting traffic to the TPN portal. Given that URL, the attacker could try various admin codes until they are successfully logged in, as it does not appear that authentication attempts are limited. If an attacker was not listening to network traffic during handset boot, they could still determine the administration portal URL by MAC enumeration as mentioned in R7-2017-07.1. Thus if an attacker is able to capture/intercept network traffic while the handset boots up, they would be able to view the content of requests made to the Portal, including the admin code, as shown below: Network traffic between a handset and the TPN Portal ( ) are made over HTTP. While it is common for handsets to request configuration from a remote server during boot, and indeed for those requests to not be authenticated, the fact that the configuration server is located in the cloud versus on-prem, and the fact that the specific URLs are crafted using a known pattern of MAC addresses, adds an unexpected surface for undesired information disclosure. An attacker can use this information to enumerate all Fuze customers/users with hard phones and collect their their email addresses, their phone numbers, and also access the Fuze device admin login page (shown below) and potentially make configuration changes. For example, Polycom's OUIs are 00:04:F2 and 64:16:7F. An attacker would only need to enumerate options starting with related published OUIs to target the subset of MAC addresses for Polycom and Yealink phones, which are the officially supported phone brands that Fuze offers as outlined here. While the total possible MAC address space is large (48 bits), the practical space in this case is significantly less. Here is a (redacted) example of retrieving the above information using Fuze's TPN Portlet: Account (including location information).Exploitation R7-2017-07.1Īny unauthenticated user can browse to and, if a valid MAC address is provided in place of MACADDRESS, receive a response that includes the following data about a Fuze handset user: These issues were discovered by a Rapid7 user, and they are being disclosed in accordance with Rapid7's vulnerability disclosure policy. While much of the Fuze suite of applications are delivered as web-based SaaS components, there are endpoint client applications for a variety of desktop and mobile platforms. It is described fully at the vendor's website. R7-2017-07.3, CWE-307 (Improper Restriction of Excessive Authentication Attempts): Authentication requests to the administration portal do not appear to be rate-limited, thus allowing attackers to potentially find successful credentials through brute-force attempts.įuze is an enterprise, multi-platform voice, messaging, and collaboration service created by Fuze, Inc.An attacker with a privileged position on the network can capture this traffic. R7-2017-07.2, CWE-319 (Cleartext Transmission of Sensitive Information): The administration interface URL revealed from the URLs enumerated in R7-2017-07.1 will prompt for a password over an unencrypted HTTP connection.This information is returned over HTTP and does not require authentication. This allows them to craft a URL that reveals details about the user, including their Fuze phone number, email address, parent account name/location, and a link to an administration interface. R7-2017-07.1, CWE-284 (Improper Access Control): An unauthenticated remote attacker can enumerate through MAC addresses associated with registered handsets of Fuze users.Rapid7 thanks Fuze for their quick and thoughtful response to these vulnerabilities: Fuze fixed all three issues by May 6, 2017, and user action is not required to remediate. This post describes three security vulnerabilities related to access controls and authentication in the TPN Handset Portal, part of the Fuze platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |