Vulnerability Lab experts identified a number of web vulnerabilities in Barracuda’s CudaTel Phone Application 2.0.029.1, which is part of the CudaTel Communication Server, an easy-to-use audio-video communication system that’s used by businesses worldwide.
Benjamin Kunz Mejri, aka Rem0ve, the founder and CEO of Vulnerability Lab, identified the high risk security holes that affect Barracuda’s product, and implicitly their customers.
The multiple persistent Input Validation vulnerabilities could be remotely exploited to inject malicious code and manipulate modules by leveraging persistent context requests, even on accounts with fewer user rights.
“When exploited by an authenticated user, the identified vulnerabilities can result in information disclosure via error, session hijacking, access to available phone line services, manipulated persistent context execution out of the auto route listings,” Vulnerability Lab informs.
The vulnerable section was appointed as being the Automated Attendants module, which includes the Advanced Routing extension - NAME & Listing, Auto Attendants - NAME & Listing, and the ALL Types Listing Category sub-modules.
The experts provided us with a proof of concept that demonstrated the way in which the vulnerability could have been exploited. Tech savvy readers can check it out here.
We say “could have been exploited” because Barracuda rushed to address the security holes after the researchers notified them.
The weaknesses were identified on February 19 when they were reported to the vendor. A few days later the company responded, and on March 7 a fix was released. On March 8, Vulnerability Lab published its findings.
Recently, the experts also discovered flaws in other products such as the Pandora FMS monitoring tool, a couple of content management systems (CMSs), and in the popular instant messaging application Skype.
We also had an interview with one of the Lab experts, Georgian researcher Ucha Gobejishvili, who shared some interesting things about his life as a white hat hacker.