Multiple high-severity vulnerabilities in the Grandstream HT800 series of Analog Telephone Adaptors (ATAs) threaten home office and midrange users alike, with outages, eavesdropping and device takeover. The HT800 series of ATAs is designed for everyone from home or small-office users to medium-sized businesses, looking to connect their analog telephone devices to a VoIP network, unified communications system or other IP-based communications infrastructure. According to analysis from Tenable, the models have four worrying flaws, all of them unpatched as of this writing. The bug tracked as CVE-2020-5760 (rating 7.8 out of 10 on the CvSS scale) could allow command injection during the provisioning process. Unauthenticated remote attackers can execute arbitrary commands as root by crafting a special configuration file and sending a crafted SIP message. “Tenable found the HT800 series is vulnerable to command injection via the configuration file when P240 is set to 1 and P2 (password) contains shell metacharacters,” the firm said in its advisory, released this week. “Furthermore, Tenable found that an unauthenticated remote attacker could trigger this injection via a x-gs-ucm-url SIP message.” Tenable also published a proof-of-concept exploit, which results in a root shell on the device, allowing full compromise. Meanwhile, CVE-2020-5761 is an infinite loop problem in the TR-069 service (rated 7.5 out of 10 on the CvSS scale) that can result in CPU exhaustion. The TR-069 is a…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-07-31 17:05:002020-07-31 17:05:004 Unpatched Bugs Plague Grandstream ATAs for VoIP Users
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org