Multiple Vulnerabilities Found In GoAutoDial Call Center Software

The dedicated call center software GoAutoDial has recently addressed numerous critical vulnerabilities, including remote code execution.

Numerous Vulnerabilities Spotted In GoAutoDial

Researchers from Synopsys Cybersecurity Research Center (CyRC) spotted multiple security vulnerabilities in the GoAutoDial software.

Briefly, GoAutoDial is an open-source software suite for facilitating call center activities for big and small businesses.

According to Synopsys CyRC’s advisory, they found two different security flaws in the tool. The first is a medium severity information disclosure vulnerability that emerged due to improper/broken authentication. This vulnerability (CVE-2021-43175) achieved a CVSS score of 5.3.

Describing the impact of this bug, the advisory reads,

Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate.
This allows the caller to name and call a second PHP file without having any valid credentials for the GOautodial system.

In brief, exploiting this bug would lead to information disclosure.

The second vulnerability (CVE-2021-43176) is a high severity bug with a CVSS score of 8.8. Exploiting this vulnerability would allow an authenticated adversary to upload arbitrary PHP files to the server and execute codes. Describing this vulnerability, the advisory states,

The API router takes a user-supplied “action” parameter and appends a .php file extension to locate and load the correct PHP file to implement the API call. Vulnerable versions of GOautodial do not sanitize the user input that specifies the action.

Although, the bug in itself would only work for authenticated users. However, an unauthenticated adversary may exploit it together with the first bug to access data and upload malicious files.

Patches Released

Following this discovery, the researchers communicated with GoAutoDial to report the bugs that affected GoAutoDial versions until the commit b951651.

Consequently, the vendors deployed the patches for both bugs with the commit 15a40bc. Updating the systems with the latest release should secure the users from potential threats arising from these flaws.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients