Critical security vulnerabilities have been uncovered in VoIPmonitor software that, if successfully exploited, could allow unauthenticated attackers to escalate privileges to the administrator level and execute arbitrary commands.
Following responsible disclosure by researchers from Kerbit, an Ethiopia-based penetration-testing and vulnerability research firm, on December 15, 2021, the issues were addressed in version 24.97 of the WEB GUI shipped on January 11, 2022.
"[F]ix critical vulnerabilities - new SQL injects for unauthenticated users allowing gaining admin privileges," the maintainers of VoIPmonitor noted in the change log.
VoIPmonitor is an open-source network packet sniffer with commercial frontend for SIP RTP and RTCP VoIP protocols running on Linux, allowing users to monitor and troubleshoot quality of SIP VoIP calls as well as decode, play, and archive calls in a CDR database.
The three flaws identified by Kerbit is below –
- CVE-2022-24259 (CVSS score: 9.8) – An authentication bypass bug in the "cdr.php" component of the GUI that enables an unauthenticated attacker to elevate privileges via a specially crafted request.
- CVE-2022-24260 (CVSS score: 9.8) – An SQL injection vulnerability that occurs in the "api.php" and "utilities.php" components of the GUI that allows attackers to escalate privileges to the administrator level and retrieve sensitive data.
- CVE-2022-24262 (CVSS score: 7.8) – A remote command execution via the GUI's configuration restore functionality due to a missing check for archive file formats, allowing a bad actor to execute arbitrary commands via a crafted file.
"The main reason that the bug [is] here is the fact that we are allowed to upload any file extension and that we can reach the uploaded files to get them to execute," Kerbit researcher Daniel Eshetu, who discovered the flaws, said in a write-up.