Vulnerabilities Found in GOautodial

A cybersecurity researcher has discovered multiple vulnerabilities in an open-source call center software suite used around the world.

The Synopsys Cybersecurity Research Center (CyRC) released an advisory today exposing two API vulnerabilities in GOautodial. While multiple providers sell GOautodial as a paid-for cloud service, it is available as a free download. 

“The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via unrestricted file upload,” wrote researchers in the GOautodial advisory.

Among the vulnerabilities unearthed by Synopsys is the broken authentication flaw CVE-2021-43175, which allows attackers with access to the internal network hosting GOautodial to steal sensitive configuration data, such as default passwords, from the GOautodial server without credentials. 

Using this data, a threat actor could connect to other related systems on the network, such as VoIP phones. 

Another newly found flaw is CVE-2021-43176, which allows any authenticated user at any level to perform remote code execution.

“This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behavior such as stealing passwords or spoofing communications (sending messages or emails that look like they come from someone else),” warned CyRC.

Vulnerable versions of the GOautodial API are those created prior to September 27, 2021, including the latest publicly available ISO installer, GOautodial-4-x86_64-Final-20191010-0150.iso.

Scott Tolley, a researcher from the Synopsys Cybersecurity Research Center, discovered the vulnerabilities using the interactive application security testing (IAST) tool Seeker, which automatically tests for security vulnerabilities during the software development life cycle (SDLC). 

Tolley’s initial disclosure of the vulnerabilities to GOautodial took place on September 22. The company responded on October 20, saying that the vulnerabilities had been fixed.

Synopsys validated the fix by November 17, then published its advisory regarding the vulnerabilities earlier today. 

Other vulnerabilities discovered by keen bug-hunter Tolley include CVE-2021-33177, CVE-2021-33178, and CVE-2021-33179, which are SQL injection, path traversal, and XSS vulnerabilities in the popular application, service, and network monitoring software Nagios XI.