|
|
|
Credit:
The information has been provided by Axel Rengstorf .
The original article can be found at: http://seclists.org/bugtraq/2010/Sep/155
|
|
Vulnerable Systems:
* Alcatel-Lucent CTI CCA CCAgent versions before 9.0.8.4
Immune Systems:
* Alcatel-Lucent CTI CCA CCAgent version 9.0.8.4
For the administration of the server the same tcp/ip ports are used for the registration of the out of office call center agents. In addition there is no real authentication taking place. A tool called "Tsa_Maintainance.exe" that ships with the product, can be used to view the debugging functions and status of the call center without any authentication. This way every call center agent can monitor the entire call-center, co-workers, can trace lines, deregister lines, etc..
Further investigation showed that there is authentication available but it is implemented in the wrong way. In a normal setup, the client is sending the credentials to the server for verification. The ALCATEL WAY of user authentication is that the client verifies if authentication was successful. The call center agent server is sending the administrative password to the client in order to enable the client to decide to go on to the administrative functions or not. Therefore it is trivial to patch the client software to pass the authentication. Furthermore with every "authentication" attempt to the server the attacker gains knowledge of the administrative password.
The password for the "SuperUser" is sent from the TSA server to the client in cleartext in the following way:
Name=SuperUser Password=072 175 173 176 173 177 181
Well, it is exactly as it appears above. It is the "SuperUser"'s account name and password, which is somehow obfuscated. The first number (72) is the offset of the rest of numbers to the ascii decimal representation of the password character.
175 - 72 = 103 == g
173 - 72 = 101 == e
Workaround:
Disable the maintenance access:
- On the TSA server: disable the TSA maintenance access in the server configuration file.
Implement segregation of roles:
- Agent workstations should not propose the manager's client application (TSA_manager.exe). Remove it if found.
- Manager workstations should only propose the manager's client application and not the agent client application.
- Use a separate IP subnet to host the manager workstations.
- Provide physical protection to manager workstations by implementing physical access control to the room where the Contact Center managers have their workstations. Protect credential exchanged over the LAN:
- Configure IPsec on the TSA server to require mandatory IPsec access from an explicit list of management workstations.
- Configure the Windows firewall to allow cleartext accesses from an explicit list of agent workstations and drop all packets from any other workstations.
CVE Information:
CVE-2010-3279
CVE-2010-3280
Disclosure Timeline:
2010/02/16 initial information to Alcatel-Lucent
2010/08/10 Alcatel-Lucent confirms that vulnerability is fixed (fix date: 2010/06/08)
2010/09/15 CVE numbers received
2010/09/20 Advisory released
|
|
|
|