Two vulnerabilities have been identified on three Atos Unify OpenScape products, SBC, Branch, and BCF, which are associated with Missing authentication and Authenticated Remote code execution.
One of the vulnerabilities allows threat actors to execute arbitrary operating system commands as root users, while the other allows them to access and execute various configuration scripts. However, these vulnerabilities have been fixed by Unify.
The National Vulnerability Database (NVD) has not yet confirmed the severity score and vector.
Authenticated Remote Code Execution (CVE-2023-36618)
This vulnerability exists on the administrative web application API, which has improper validation of inputs by an authenticated user. This allows a threat actor to execute arbitrary PHP functions, eventually executing operating system-level commands with root privileges.
In order to exploit this vulnerability, a threat actor must have a low-privileged ReadOnly role as a prerequisite. Applications that were found to be vulnerable to this vulnerability have been built with functions that call callMainFunction, which takes care of processing the POST data.
Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.
callMainFunction in /srv/www/htdocs/core/CoreAPI.php calls arbitrary functions and checks for forbidden functions with the help of cfgUtilCheckMethod located at /srv/www/htdocs/core/cfgUtil.php.
This cfgUtil.php file uses several functions like cfgUtilExecute, cfgUtilShellExec, and especially cfgUtilShellExecSudo, cfgUtilSetPermExecSudo, and cfgUtilExecSudo which a threat actor can utilize to execute root commands on the affected appliance.
Missing Authentication (CVE-2023-36619)
Several PHP scripts were found to have zero authentication for execution. These scripts also perform several functions, like the start.php file configures and starts the appliance. The scripts identified include,
- hostname/core/configuringInBackground.php
- hostname/core/downloadProfiles.php
- hostname/core/hello_world.php
- hostname/core/scripts/applyZooServerData.php
- hostname/core/scripts/cfgGenUpdateSSPStatusTable.php
- hostname/core/scripts/checkcardsDbHw.php
- hostname/core/scripts/config1.php
- hostname/core/scripts/recover.php
- hostname/core/scripts/start.php
- hostname/core/scripts/startPre.php
- hostname/core/shutdown.php 
- hostname/data/sipLbInfo.php
- hostname/data/turnInfo.php
Vulnerable Products and Fixed in Version
Vulnerable Products | Version | Fixed in Version | Impact |
Atos Unify OpenScape Session Border Controller | OpenScape SBC before V10 R3.3.0 | OpenScape SBC V10 >=R3.3.0 | Critical |
Atos Unify OpenScape Branch | OpenScape Branch V10 before V10 R3.3.0 | OpenScape Branch V10 >=R3.3.0 | |
Atos Unify OpenScape BCF | OpenScape BCF V10 before V10 R10.10.0 | OpenScape BCF V10 >=R10.10.0 |
Users of these products are recommended to upgrade to the latest versions to prevent these vulnerabilities from getting exploited by threat actors.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.