Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems

Atos Unify product vulnerabilities could be exploited to cause disruption and reconfigure or backdoor the targeted system. 

Two vulnerabilities discovered earlier this year in Atos Unify products could allow malicious actors to cause disruption and even backdoor the targeted system.

The flaws were found in the unified communications and collaboration solution by researchers at SEC Consult, an Austria-based cybersecurity consulting firm that is part of the Atos Group’s Eviden business.

The vulnerabilities affect the Atos Unify Session Border Controller (SBC), which provides security for unified communications, the Unify OpenScape Branch product for remote offices, and Border Control Function (BCF), which is designed for emergency services.

SEC Consult researchers discovered that the web interface of these products is affected by CVE-2023-36618, which can be exploited by an authenticated attacker with low privileges to execute arbitrary PHP functions and subsequently operating system commands with root privileges.

The second security hole, CVE-2023-36619, can be exploited by an unauthenticated attacker to access and execute certain scripts. An attacker could leverage these scripts to cause a denial-of-service (DoS) condition or change the system’s configuration.

SEC Consult says the vulnerabilities have critical impact, but the vendor has assigned the flaws a ‘high severity’ rating based on their CVSS score.

“Attackers can gain full control (root access) over the appliance, if any low-privileged user credentials are known, and could reconfigure or backdoor the system (e.g. change SIP upstream configuration, etc),” Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek.

Greil pointed out that the affected web interface is typically not exposed to the internet and a brief Shodan analysis shows there are no systems that are reachable from the web.

Advertisement. Scroll to continue reading.

The cybersecurity firm this week published an advisory containing technical information, but proof-of-concept (PoC) exploit code has not been made public. 

Atos has released updates that should patch both Unify vulnerabilities. The vendor has also suggested a series of workarounds that can prevent or reduce the risk of exploitation. 

Related: Details Disclosed for Critical SAP Vulnerabilities, Including Wormable Exploit Chain

Related: Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid

Related: Critical Vulnerabilities Patched in OpenText Enterprise Content Management System

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.