Researchers have identified three critical security flaws impacting the Pascom Cloud Phone System that malicious threat actors could merge to attain a complete pre-authenticated code operation of affected systems.
The critical vulnerabilities inside the CPS can be linked together, resulting in an unauthenticated malicious threat actor obtaining root privileges on affected devices.
Pascom Cloud Phone System (CPS) is an integrated communication and collaboration solution that enables businesses to hold and set up exclusive telephone networks across several different platforms. Furthermore, the cloud phone system can aid business people in monitoring, maintaining, and updating business associates with its virtual phone systems feature.
The researchers indicated three critical vulnerabilities affecting the Pascom Cloud Phone System businesses.
The three vulnerabilities include those branching out from an arbitrary path traversal in the web interface, a post-authentication command injection utilising a daemon service exd[.]pl and a server-side request forgery (SSRF) due to an obsolete third-party dependency flaw tracked by researchers as CVE-2019-18394.
Threat actors can merge this set of flaws in a chain-like function to infiltrate non-exposed endpoints by disseminating arbitrary “GET” requests to acquire the administrator password. Subsequently, the threat actors can utilise it also to obtain remote code execution by using the scheduled task.
The researcher also added that the new exploit in Pascom can be chained together to operate commands as roots. The root could provide the attackers complete control of the device and an effortless method to improve and escalate privileges.
The vulnerabilities were addressed to Pascom by the researchers during the early days of this year. The affected entity then released patches to give resolution to the issue.
Experts advised the customers of Pascom who are self-hosting their Cloud Phone System to update their systems to its latest version. The newest version of the app is “Pascom Server 19.21,” which should immediately be employed to mitigate any potential attacks from malicious entities.