Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Zero-day Vulnerability Highlights the Responsible Disclosure Dilemma

A zero-day vulnerability found in a video-conferencing system and responsibly disclosed led to the response, “Our developers are aware of some known vulnerabilities with the systems, development for these devices has slowed significantly as they are End of Life. For devices that are still under support, we may target future releases.”

A zero-day vulnerability found in a video-conferencing system and responsibly disclosed led to the response, “Our developers are aware of some known vulnerabilities with the systems, development for these devices has slowed significantly as they are End of Life. For devices that are still under support, we may target future releases.”

This left the vulnerability finder — Trustwave SpiderLabs’ researcher Simon Kenin — with a quandary: make public the vulnerability so that users would be aware of the threat and attackers might use it, or just sit on it. Shodan shows there are 372 Lifesize devices in universities around the world. The Lifesize website claims, “Tens of thousands of organizations around the world use Lifesize.”

The vulnerability, amounting to multiple command injection flaws, is trivial to exploit and was found in all versions of four Lifesize products: Team, Room, Passport and Networker. It requires access to the firmware, which can only be obtained with a valid serial number. However, with that serial number, an attacker can obtain the firmware. The attack requires access to the Lifesize support function, but the device comes with a default support account.

The Lifesize problem is nothing more than a lack of sanitization: user provided input is passed direct to the PHP shell_exec function, which executes system commands as the webserver user. The value to the attacker is limited, but nevertheless gets him a foothold on the server.

However, by combining this new command injection vulnerability with a separate — and also unfixed — privilege escalation bug, Kenin blogged he “could achieve root privileges on the Lifesize product’s system and have full persistence on the device and its underlying corporate network.” He wrote a full python PoC exploit and provided it with his disclosure to Lifesize in November 2018.

He had no reply from Lifesize. In January 2019 he tried again — and this is when he was told there would be no fix. “It is always a dilemma when you go public with an advisory after a responsible disclosure process that does not result in a fix,” he wrote. “On one hand, I could simply trash my work on this research and keep attention off of it… But,” he added, “for all we know, a malicious attacker could already have in their possession the same knowledge that I do and may be actively using this exploit to infiltrate corporate networks.”

With no sign of a patch, he decided he would have to go to full disclosure — but this story has a happy ending. The day before he was due to publish his findings, Lifesize issued a statement: “We encourage all customers using Lifesize 220 Series systems to contact Lifesize support for a hotfix. Our support teams can be reached by telephone, email or by opening a support ticket.”

Kenin decided to publish his findings (Advisory TWSL2019-001), but withhold publishing the exploit for two weeks (it will be appended to the advisory).

Advertisement. Scroll to continue reading.

“We will hold the PoC for two weeks until Thursday, February 21st in order to give users a chance to apply the hotfix,” wrote Kenin. “At that time we will release the PoC code to provide users, administrators and network security professionals with the technical details and tools to validate whether they are still vulnerable. This PoC will be added directly to the advisory.”

RelatedVideo Conferencing Systems Expose Corporate Secrets 

Related: Cyber War and the Compromise of Reliable Full Disclosure 

Related: Responsible Disclosure – Critical for Security, Critical for Intelligence 

RelatedTo Share or Not to Share: The Security Researcher’s Dilemma 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.