Backdoor CVE-2021-40859 in Auerswald PBX systems (e.g. COMpact 5500R 7.8A & 8.0B) fixed

[German]Auerswald s a German manufacturer of telephone systems for corporate use. Security researchers have discovered backdoors in the firmware of Auerswald telephone systems (e.g. COMpact 5500R) that could be used to reset the administrator password. This was disclosed on 20.12.2021. Here is some information about it. The backdoor has been removed in firmware versions 7.8A & 8.0B.

Auerswald COMpact 5500R

The Auerswald COMpact 5500R is a telephone PBX system with which, according to the manufacturer, one is "best equipped for everyday business". The system has a fully modular architecture with 80 IP channels and all the functions of a large ITC server. It allows up to 112 subscribers and thus scales with the requirements of a company.

Auerswald COMpact 5500R, Source: Auerswald

Continuous maintenance and expansion of the system software should make this versatile IP server a future-proof investment in any business communication. The manufacturer also offers other models of telephone systems for different applications.

Firmware with backdoors

I came across an unpleasant piece of information on Twitter. There were backdoors in the firmware of various phone systems. In this tweet, a Red team of pentesters discloses their findings on the Auerswald COMpact 5500R.

As early as September 10, 2021, testers from RedTeam Pentesting GmbH discovered backdoors in the firmware 7.8A and 8.0B of Auerswald telephone systems (e.g., the COMpact 5500R), according to CVE-2021-40859. The pentesters examined IP phones and a telephone system from Auerswald in one of the jobs. These backdoors allow attackers who are able to access the web-based management application full administrative access to the device.

The thing came to light on Dec. 6-8, 2021, but the discoverers didn't make it public until Dec. 20, 2021, in the blog post INSIDE A PBX – DISCOVERING A FIRMWARE BACKDOOR. An advisory from RedTeam Pentesting GmbH can be found here. Affected are:

• COMpact 3000 ISDN,
• COMpact 3000 analog,
• COMpact 3000 VoIP,
• COMpact 4000,
• COMpact 5000(R),
• COMpact 5200(R),
• COMpact 5500R,
• COMmander 6000(R)(RX),
• COMpact 5010 VoIP,
• COMpact 5020 VoIP,
• COMmander Business(19"),
• COMmander Basic.2(19")

The affected firmware versions are:

• <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX)),
• <= 4.0S (COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP)

These backdoors have been removed in firmware versions 8.2B and 4.0T.

Backdoor details

A PBX (PBX for IP telephony) routes incoming and outgoing calls to the appropriate destinations, not unlike an IP router. Organizations often use a single phone number with various additional extensions assigned to specific phones.

When analyzing the devices, the pentesters found a reference to a service that Auerswald offers in case a customer loses the access data to his administration account. By filling out a document and contacting the manufacturer, the administrator password of the telephone system can be reset. The testers wondered how this process might work and decided to take a closer look.

To do this, the testers first downloaded the firmware image for the COMpact 5500, version 7.8A, from the Auerswald support website. Images like this contain the software for the PBX and are provided to allow customers to update the device to the latest version.

Once the format of the firmware was known, it was examined with Ghidra. In the process, the testers came across an undocumented user name Schandelah – the place where Auerswald is based – in the examined code of a web server of the firmware. The password for this user is determined from the serial number of the system, the current date, which is then encoded via MD5 hash. Seven digits of this value are then used. The serial number can be read from the firmware without authentication.

If you determine the password and then log in to the web server of the telephone system with the user name, you can then reset the administrator password. So it works as specified, but has unpleasant consequences for the owner of the telephone system if unauthorized persons know this.

This password reset story has been used by Auerswald on other models as well. Some of these devices are even accessible via the Internet (according to Shodan), so attackers could reconfigure them. As a result of this analysis, Auerswald has now updated the firmware (see) so that the backdoor has been removed. The details can be read here.