Multiple backdoors have been discovered during a penetration test in the firmware of a widely used voice over Internet Protocol (VoIP) appliance from Auerswald, a German telecommunications hardware manufacturer, that could be abused to gain full administrative access to the devices.
"Two backdoor passwords were found in the firmware of the COMpact 5500R PBX," researchers from RedTeam Pentesting said in a technical analysis published Monday. "One backdoor password is for the secret user 'Schandelah', the other can be used for the highest-privileged user 'admin.' No way was discovered to disable these backdoors."
The vulnerability has been assigned the identifier CVE-2021-40859 and carries a critical severity rating of 9.8. Following responsible disclosure on September 10, Auerswald addressed the problem in a firmware update (version 8.2B) released in November 2021. "Firmware Update 8.2B contains important security updates that you should definitely apply, even if you don't need the advanced features," the company said in a post without directly referencing the issue.
PBX, short for private branch exchange, is a switching system that serves a private organization. It's used to establish and control telephone calls between telecommunication endpoints, including customary telephone sets, destinations on the public switched telephone network (PSTN), and devices or services on VoIP networks.
RedTeam Pentesting said it uncovered the backdoor after it began to take a closer look into a service Auerswald provides in the event a customer were to lose access to their administrator account, in which case the password associated with the privileged account can be reset by reaching out to the manufacturer.
Specifically, the researchers found that the devices are configured to check for a hard-coded username "Schandelah" besides "sub-admin," the account that's necessary to manage the device according to the official documentation. "It turns out that Schandelah is the name of a tiny village in northern Germany where Auerswald produces their devices," the researchers said.
Follow-on investigation by the German pen-testing firm revealed that "the corresponding password for this username is derived by concatenating the PBX's serial number, the string 'r2d2,' and the current date [in the format 'DD.MM.YYYY'], hashing it with the MD5 hash algorithm and taking the first seven lower-case hex chars of the result."
Put simply, all an attacker needs to generate the password for the username "Schandelah" is to obtain the serial number of the PBX — a piece of information that can be trivially retrieved using an unauthenticated endpoint ("https://192.168.1[.]2/about_state"), enabling the bad actor to gain access to a web interface that allows for resetting the administrator password.
On top of that, the researchers said they identified a second backdoor when the administrative username "admin" is passed, for which a fallback password is programmatically derived using the aforementioned algorithm, only difference being that a two-letter country code is suffixed to the concatenated string prior to creating the MD5 hash. The alternative password, as in the previous case, provides full-privileged access to the PBX without having to change the password in the first place.
"Using the backdoor, attackers are granted access to the PBX with the highest privileges, enabling them to completely compromise the device," the researchers said. "The backdoor passwords are not documented. They secretly coexist with a documented password recovery function supported by the vendor."