The dedicated call center software GoAutoDial has recently addressed numerous critical vulnerabilities, including remote code execution.
Numerous Vulnerabilities Spotted In GoAutoDial
Researchers from Synopsys Cybersecurity Research Center (CyRC) spotted multiple security vulnerabilities in the GoAutoDial software.
Briefly, GoAutoDial is an open-source software suite for facilitating call center activities for big and small businesses.
According to Synopsys CyRC’s advisory, they found two different security flaws in the tool. The first is a medium severity information disclosure vulnerability that emerged due to improper/broken authentication. This vulnerability (CVE-2021-43175) achieved a CVSS score of 5.3.
Describing the impact of this bug, the advisory reads,
Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate.
This allows the caller to name and call a second PHP file without having any valid credentials for the GOautodial system.
In brief, exploiting this bug would lead to information disclosure.
The second vulnerability (CVE-2021-43176) is a high severity bug with a CVSS score of 8.8. Exploiting this vulnerability would allow an authenticated adversary to upload arbitrary PHP files to the server and execute codes. Describing this vulnerability, the advisory states,
The API router takes a user-supplied “action” parameter and appends a .php file extension to locate and load the correct PHP file to implement the API call. Vulnerable versions of GOautodial do not sanitize the user input that specifies the action.
Although, the bug in itself would only work for authenticated users. However, an unauthenticated adversary may exploit it together with the first bug to access data and upload malicious files.
Patches Released
Following this discovery, the researchers communicated with GoAutoDial to report the bugs that affected GoAutoDial versions until the commit b951651.
Consequently, the vendors deployed the patches for both bugs with the commit 15a40bc. Updating the systems with the latest release should secure the users from potential threats arising from these flaws.