Researchers detected remote OS command injection vulnerabilities in Lifesize enterprise collaboration products. The vulnerabilities were found in four Lifesize products - Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker. The vulnerabilities could allow attackers to remotely gain control of the products and use them as a snooping tool.
Serial number of the product is required for exploitation
Researchers explained that in order to exploit these vulnerabilities, attackers need to gain access to the firmware of Lifesize products, which also requires them to get hold of the serial number of the products.
However, if these requirements can be acquired, then it becomes very easy for attackers to remotely gain control of the products with the help of some software tools and information from the Lifesize support page. The software tools and Lifesize support page details help the attackers to provide a backdoor into the Lifesize products.
Privilege escalation + Command injection vulnerability
Researchers revealed that the initial vulnerability comes from a programming error which allows user input to occur without being restricted by sanitization involving shell functions. This programming error coupled with a privilege escalation vulnerability allows running system commands thereby providing attackers with access into the network of the Lifesize products. Researchers noted that combining this privilege escalation with a command injection vulnerability, it's possible to gain full persistence on the device.
“With this, you have access to everything. Any video or audio stored on that machine will be gettable fairly trivially,” Ed Williams, Director of Trustwave's Spiderlabs research told ZDNet.
“That machine can be used as a launchpad to attack other machines. Say this audio equipment is internet-facing, you can get access to the underlying operating system through this vulnerability. From an external attack, you can potentially gain internal access – it's a worst-case scenario, but potentially very serious,” Williams added.
Williams noted that detecting the root cause of the attack and detecting if the device is compromised or not becomes difficult because these types of devices do not have good logging.
“It'd be difficult to tell if a device had been accessed because these type of devices don't have very good logging. As a result, it's difficult to see what's going on, so it'd be difficult to find out if this is the root cause of an attack. Attackers are likely to be looking for and using this,” Williams said.
Security patch to be issued
Lifesize confirmed to ZDNet that it will be issuing patches for all the four affected products.
“We are pro-actively addressing the vulnerability and automatically patching all Icon 220 Series systems that are connected to the Lifesize Cloud. For non-cloud connected devices, customers will need to deploy the hotfix and we will work with each impacted customer to resolve the issue as quickly as possible,” Bobby Beckmann, CTO at Lifesize said.