SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (VoIP/Phone/FAX)  >   Alexis Vendors:   COM2001.com
COM2001's Alexis Internet-enabled PBX Discloses Voice Mail Passwords When the Web Access Component is Used Over a Network
SecurityTracker Alert ID:  1002467
SecurityTracker URL:  http://securitytracker.com/id/1002467
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 29 2001
Impact:   Disclosure of authentication information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): v2.1
Description:   A vulnerability was reported in COM2001's Alexis Internet-based PBX. Remote users can sniff another user's voicemail password and gain access to that user's phone applications.

It is reported that the Alexis system has a web access component that integrates with Microsoft Exchange Outlook Web Access. This web access component queries the user for the voicemail password, then opens a Java applet that connects back to the Alexis server using a default port of 8888. The username and voicemail password is passed from the applet to the server without encryption.

It is also reported that the voicemail passwords are stored in plaintext in a file called com2001.ini on the server, however, this can be protected using appropriate operating system file permissions.

Impact:   A remote user can sniff the network connection between the target user's web access Java applet and the Alexis server to obtain the target user's voicemail password. It is reported that this password can then enable the remote user to make long distance phone calls on the system or make calls that appear to originate from the target user's phone number.
Solution:   The vendor reportedly confirms the flaw and intends to correct it in the next service pack.

The author of the report suggests a workaround of blocking port 8888 to the Alexis server until the service pack is available. This will reportedly disable some of the web access features, such as call screening. Another workaround is to downgrade to version 1.1, which does not send the voicemail password via the webaccess function.

Vendor URL:  www.alexis.com/solutions/index.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Two problems with Alexis/InternetPBX from COM2001


We have discovered a situation in which the InternetPBX product from 
COM2001 will pass a user's voicemail password in cleartext over the 
internet. There is also a minor issue with the way these passwords are 
stored.

Alexis is a Windows NT/2000 and Exchange based phone system that 
provides a lot of interesting features for helping businesses work in a 
more virtual manner.

First, the voicemail passwords are stored in plaintext, in the NT and/or 
w2k root directory in a file called com2001.ini. The impact of this is 
minor, as the file can of course be protected with file system permissions.

"Alexis Server" has a web access component that links in to Exchange's 
OWA. It asks for a user's voicemail password before allowing them to 
logon. This can be secured using SSL, so the password is protected 
there. Unfortunately, the alexis web access toolbar opens a java applet 
that connects back to the server on port 8888(by default). This passes 
the username and voicemail password in plaintext.

COM2001 is aware of the problem, and informed me that it has been fixed 
in the next service pack, but they do not know when that will be 
released. As far as we know, there is no "hot fix" available for this 
specific problem.

This has some really bad potential effects. Those who could sniff this 
password could then utilize the Alexis phone system to make long 
distance calls, or calls pretending to use the phone number of the 
affected Alexis phone system.

Affects: Alexis Server v2.1

Solution: Block port 8888 to your Alexis server until the service pack 
is available. This will, unfortunately, disable some of the features of 
the web access, such as call screening. If this is essential 
functionality one can downgrade to version 1.1, which does not use the 
voicemail password in the webaccess. 2.0 is unable to use SSL for the 
webaccess portion and so is vulnerable to similar(and greater) problems.

Clint Byrum
ERP.COM Security

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC