Security Vulnerability in ShoreWare Director
254 views
Skip to first unread message
Dennis Kelly
Oct 13, 2013, 6:15:27 PM10/13/13
to mr-...@googlegroups.com
So many of you know one of my summer projects was our ShoreTel VOIP phone system implementation. I discovered, reported, and disclosed two security vulnerabilities to the bugtrag and full disclosure security lists. Just giving all you ShoreTel guys a heads up as well.
Title: ShoreWare Director Denial of Service and Arbitrary File Modification
Product: ShoreTel ShoreWare Director
Vendor: ShoreTel, http://www.shoretel.com
Vulnerable Versions: 18.61.7500.0, and likely all prior versions.
Tested Version: 18.61.7500.0
Credit: Dennis Kelly <dennis...@gmail.com>
Introduction
ShoreTel ShoreWare Director is the core management interface for managing ShoreTel's Unified Communication (UC) system. The ShoreWare server install includes an IIS FTP service used to distribute configuration and firmware to IP phones using anonymous FTP. Additionally, a virtual directory /ShorewareDirector that is not visible in a directory listing is used by ShoreWare Director for uploading and storing Auto-Attendant Menu Prompts (System Greetings).
Impact
By default, the /ShorewareDirector directory is available via anonymous FTP, unrestricted, and with read-write access. It is vulnerable to:
- A Denial of Service (DoS) filling up the disk with arbitrary files. If the directory resides on the C: drive, it could make the entire server unavailable. Otherwise, it could prevent administrators from changing menu prompts or other system functions utilizing the same disk.
- Unauthenticated changes and deletion of menu prompts actively being used by the system. Deleting an actively used file will cause the system to use the default greeting. An attacker could overwrite an active prompt (can take hours to refresh from the FTP server though) that would result in a good laugh and high fives, but also could be used to convince users to take further action or disclose sensitive information as a step in a more complex attack.
Vendor Response
The vendor reports this is a essential component of their platform and does not impose significant impact to system integrity. A change request to the functionality can be submitted to sugge...@shoretel.com.
Mitigation
Limit access to the /ShorewareDirector directory to an administrative host or network using FTP Address and Domain Restrictions in IIS.
Timeline
10/04/2013: Vulnerability discovered.
10/07/2013: Vendor contacted.
10/11/2013: Vendor response.
10/13/2013: Disclosure.
Title: ShoreWare Director Denial of Service and Arbitrary File Modification
Product: ShoreTel ShoreWare Director
Vendor: ShoreTel, http://www.shoretel.com
Vulnerable Versions: 18.61.7500.0, and likely all prior versions.
Tested Version: 18.61.7500.0
Credit: Dennis Kelly <dennis...@gmail.com>
Introduction
ShoreTel ShoreWare Director is the core management interface for managing ShoreTel's Unified Communication (UC) system. The ShoreWare server install includes an IIS FTP service used to distribute configuration and firmware to IP phones using anonymous FTP. Additionally, a virtual directory /ShorewareDirector that is not visible in a directory listing is used by ShoreWare Director for uploading and storing Auto-Attendant Menu Prompts (System Greetings).
Impact
By default, the /ShorewareDirector directory is available via anonymous FTP, unrestricted, and with read-write access. It is vulnerable to:
- A Denial of Service (DoS) filling up the disk with arbitrary files. If the directory resides on the C: drive, it could make the entire server unavailable. Otherwise, it could prevent administrators from changing menu prompts or other system functions utilizing the same disk.
- Unauthenticated changes and deletion of menu prompts actively being used by the system. Deleting an actively used file will cause the system to use the default greeting. An attacker could overwrite an active prompt (can take hours to refresh from the FTP server though) that would result in a good laugh and high fives, but also could be used to convince users to take further action or disclose sensitive information as a step in a more complex attack.
Vendor Response
The vendor reports this is a essential component of their platform and does not impose significant impact to system integrity. A change request to the functionality can be submitted to sugge...@shoretel.com.
Mitigation
Limit access to the /ShorewareDirector directory to an administrative host or network using FTP Address and Domain Restrictions in IIS.
Timeline
10/04/2013: Vulnerability discovered.
10/07/2013: Vendor contacted.
10/11/2013: Vendor response.
10/13/2013: Disclosure.
Benjamin Whiting
Oct 13, 2013, 6:43:38 PM10/13/13
to mr-...@googlegroups.com, mr-...@googlegroups.com
Dennis-
Speaking of your VOIP project, what would you say your two major obstacles were, and how did you solve those?
Anyone else that wants to chime in that has implemented VOIP recently is welcome, we are implementing a small phase 1 Cisco VOIP in a couple weeks (35 licenses), with the majority (+200 more) happening Spring 14.
Thank you in advance.
-Benjamin
Sent from my iPad
> --
> You received this message because you are subscribed to the Google Groups "Mountain Resort Technology User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to mr-tug+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Speaking of your VOIP project, what would you say your two major obstacles were, and how did you solve those?
Anyone else that wants to chime in that has implemented VOIP recently is welcome, we are implementing a small phase 1 Cisco VOIP in a couple weeks (35 licenses), with the majority (+200 more) happening Spring 14.
Thank you in advance.
-Benjamin
Sent from my iPad
> You received this message because you are subscribed to the Google Groups "Mountain Resort Technology User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to mr-tug+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Dennis Kelly
Oct 14, 2013, 11:43:03 AM10/14/13
to mr-...@googlegroups.com
Hi Benjamin,
Over all I consider the project extremely successful - delivered on time, under budget, and nothing but positive feedback from staff on the migration. The ShoreTel implementation and training teams were very helpful. Also, I think it helped that we were on a PBX that was old, dying, and lacking even basic features and functionality - everyone was ready for something new.
I believe the biggest hurdle was continuing to support analog lines and migrating them to the new phone system. I spent a lot of time documenting extensions and lining things up on the phone system, but our electrical department still had problems getting them all in place. Being bluntly honest, I chalk this up to poor planning and documentation on their part as they were involved months prior and we met several times and given plans and timeframes.
The only issue we experienced on the IT side was getting the desktop software, ShoreTel Communicator, deployed using Group Policy to all computers, but then that only took a few days - needed to give my new employees a good learning experience :)
On the VOIP side things were seamless - I had already prepared our infrastructure for it, so VLANs, DHCP, PoE, etc. were ready and it was pretty much plug and play. We had a phone up and working within an hour of ShoreTel's arrival. We deployed phones to the desktop prior to this, so it was a simple reboot of the phone for them to be configured. I had inventoried extensions and users, which were imported directly to the system. The following day people were able to configure their extension and voicemail. The third morning we went live, simply by moving the PRI cable from the old system to the new and people just switched from using their old phone to the new.
Having good documentation on your extensions and users is key. It makes everything else simple.
Cheers!
Denno
Over all I consider the project extremely successful - delivered on time, under budget, and nothing but positive feedback from staff on the migration. The ShoreTel implementation and training teams were very helpful. Also, I think it helped that we were on a PBX that was old, dying, and lacking even basic features and functionality - everyone was ready for something new.
I believe the biggest hurdle was continuing to support analog lines and migrating them to the new phone system. I spent a lot of time documenting extensions and lining things up on the phone system, but our electrical department still had problems getting them all in place. Being bluntly honest, I chalk this up to poor planning and documentation on their part as they were involved months prior and we met several times and given plans and timeframes.
The only issue we experienced on the IT side was getting the desktop software, ShoreTel Communicator, deployed using Group Policy to all computers, but then that only took a few days - needed to give my new employees a good learning experience :)
On the VOIP side things were seamless - I had already prepared our infrastructure for it, so VLANs, DHCP, PoE, etc. were ready and it was pretty much plug and play. We had a phone up and working within an hour of ShoreTel's arrival. We deployed phones to the desktop prior to this, so it was a simple reboot of the phone for them to be configured. I had inventoried extensions and users, which were imported directly to the system. The following day people were able to configure their extension and voicemail. The third morning we went live, simply by moving the PRI cable from the old system to the new and people just switched from using their old phone to the new.
Having good documentation on your extensions and users is key. It makes everything else simple.
Cheers!
Denno
Reply all
Reply to author
Forward
0 new messages