Vulnerability one of nine critical weaknesses from lawful intercept provider.
by Dan Goodin
Software used by law enforcement organizations to intercept the communications of suspected criminals contains a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password, security researchers said today.
In a scathing advisory published Wednesday, the researchers recommended people stop using theNice Recording eXpress voice-recording package. It is one of several software offerings provided by Ra’anana, Israel-based Nice Systems, a company that markets itself as providing “mission-critical lawful interception solutions to support the fight against organized crime, drug trafficking and terrorist activities.” The advisory warned that critical weaknesses in the software expose users to attacks that compromise investigations and the security of the agency networks.
“Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” the researchers from security consultancy SEC Consult wrote. “Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN [virtual local area network], depending on the network setup.”
The researchers verified that the vulnerabilities exist in version 6.3.5. They went on to say that partial fixes for some of the flaws have been released. Still, they advised customers not use the product “until a thorough security review has been performed by security professionals and all identified issues have been resolved.”
The most serious of the weaknesses is a root backdoor account that contains poorly secured login credentials that can’t easily be changed.
“The MySQL database table ‘user’ contains a ‘root’ user with USRKEY/ user id 1 with administrative access rights,” the SEC Consult researchers wrote. “This user account does NOT show up within the ‘user administration’ menu when logged in as administrator user account in the web interface. Hence the password can’t be changed there. As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.”
Additional vulnerabilities include:
- unauthenticated access to sensitive files and voice recordings
- low-privileged user access to other users’ sensitive data
- unauthenticated access which allows attackers to delete or modify data
- multiple cross-site scripting flaws which allow attackers to obtain or impersonate other users’ sessions
- multiple SQL injection flaws which allow attackers to access records
The flaws may also affect former products, including Cybertech eXpress and Cybertech Myracle. The researchers said they first informed Nice representatives of the vulnerabilities in December. Two weeks ago, SEC told Nice that the advisory was scheduled for Wednesday. In addition to catering to law enforcement agencies around the world, Nice also serves other mission-critical customers, including forensic investigators, banks, utilities, and healthcare providers.
In an e-mailed sent to Ars after this article was published, Nice issued the following statement:
If whitehats can so thoroughly hack the Nice Recording eXpress, there’s little reason to think less scrupulous people can’t do the same. And given the wealth of highly sensitive information at the fingertips of Nice customers, it wouldn’t be surprising for there to be large numbers of attackers with both the motivation and the background to capitalize on these weaknesses.