Serious Vulnerability Found in Lifesize Business Videoconferencing Devices

A security researcher from security firm Trustwave has found a vulnerability that could allow hackers to take over videoconferencing devices made by Lifesize. Some of the affected products have reached end-of-sale or end-of-support, but are still widely used by organizations around the world in meeting rooms.

The vulnerability is located in the firmware of Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker, an IP and ISDN videoconferencing gateway, particularly in their PHP-based support interfaces.

The flaw allows for command injection and is caused by improper sanitization of user input passed to the PHP shell_exec function. A malicious user with access to the support interface can leverage it to execute commands on the underlying operating system with the permissions of the apache account.

At first glance, this is not a critical issue because it requires authentication and because the apache user has limited privileges on the OS. However, there are two additional issues that make the problem worse.

First, the Lifesize devices ship with a default support account and password that can give attackers an easy way to access the interface. Many users typically don’t chance these default credentials.

The second is an older privilege escalation vulnerability that has been reported to Lifesize by another researcher and which hasn’t been fixed. This vulnerability could allow an attacker to gain full privileges on the device.

By combining the three issues—default support credentials, the command injection vulnerability and the privileges escalation flaw—an attacker can take complete control over the system remotely. If the device is publicly exposed to the internet, this kind of access can give attackers a foothold into the corporate network from where they can target other systems.

“I wrote a python PoC [proof-of-concept] exploit that achieves full RCE on those Lifesize products and provided it to Lifesize with the advisory,” the Trustwave researcher said in an advisory published today. “The PoC takes an argument which is an IP of Lifesize product and tries to connect with the default credentials, then it crafts a malicious request which injects code with a payload that would escalate from Apache user into root and would spawn a reverse shell with root privileges.”

The Shodan search engine shows 372 Lifesize devices in universities around the globe that are accessible to the internet. However, the company’s services and devices are used by thousands of companies worldwide.

According to Trustwave, Lifesize initially was hesitant to fix the vulnerability because the affected devices are considered legacy and are no longer being sold. However, just before the release of the advisory, the company informed Trustwave that it has developed a hotfix for the Lifesize 220 Series systems and encourages all customers to contact its support department to obtain it.

Trustwave will delay the publishing of the proof-of-concept exploit for two weeks, until Feb. 21, to give systems administrators the opportunity to deploy the patch. Once the PoC becomes available, it will be very easy for hackers to target these devices, so organizations that have them on their networks should deploy the patch as soon as possible and isolate the devices from the internet.

Featured eBook
SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

SANS threat hunting experts Mathias Fuchs and Joshua Lemon capture the different needs within organizations that are just starting their threat hunting journey, versus those who are honing their skills and programs. Read the report to help grow your program and improve threat hunting with: Definitions of threat hunting Methodologies of performing threat hunting Spending ... Read More
Authentic8

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin