Atos Unify Vulnerabilities

Two vulnerabilities have been identified on three Atos Unify OpenScape products, SBC, Branch, and BCF, which are associated with Missing authentication and Authenticated Remote code execution. 

One of the vulnerabilities allows threat actors to execute arbitrary operating system commands as root users, while the other allows them to access and execute various configuration scripts. However, these vulnerabilities have been fixed by Unify. 

The National Vulnerability Database (NVD) has not yet confirmed the severity score and vector.

Authenticated Remote Code Execution (CVE-2023-36618)

This vulnerability exists on the administrative web application API, which has improper validation of inputs by an authenticated user. This allows a threat actor to execute arbitrary PHP functions, eventually executing operating system-level commands with root privileges.

In order to exploit this vulnerability, a threat actor must have a low-privileged ReadOnly role as a prerequisite. Applications that were found to be vulnerable to this vulnerability have been built with functions that call callMainFunction, which takes care of processing the POST data.

FREE Webinar

Live DDoS Attack Simulation

Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.

callMainFunction in /srv/www/htdocs/core/CoreAPI.php calls arbitrary functions and checks for forbidden functions with the help of cfgUtilCheckMethod located at /srv/www/htdocs/core/cfgUtil.php. 

This cfgUtil.php file uses several functions like cfgUtilExecute, cfgUtilShellExec, and especially cfgUtilShellExecSudo, cfgUtilSetPermExecSudo, and cfgUtilExecSudo which a threat actor can utilize to execute root commands on the affected appliance.

Missing Authentication (CVE-2023-36619)

Several PHP scripts were found to have zero authentication for execution. These scripts also perform several functions, like the start.php file configures and starts the appliance. The scripts identified include,

  • hostname/core/configuringInBackground.php
  • hostname/core/downloadProfiles.php
  • hostname/core/hello_world.php
  • hostname/core/scripts/applyZooServerData.php
  • hostname/core/scripts/cfgGenUpdateSSPStatusTable.php
  • hostname/core/scripts/checkcardsDbHw.php
  • hostname/core/scripts/config1.php
  • hostname/core/scripts/recover.php
  • hostname/core/scripts/start.php
  • hostname/core/scripts/startPre.php
  • hostname/core/shutdown.php&nbsp 
  • hostname/data/sipLbInfo.php
  • hostname/data/turnInfo.php

Vulnerable Products and Fixed in Version

Vulnerable ProductsVersionFixed in VersionImpact
Atos Unify OpenScape Session Border ControllerOpenScape SBC before V10 R3.3.0 OpenScape SBC V10 >=R3.3.0 Critical
Atos Unify OpenScape BranchOpenScape Branch V10 before V10 R3.3.0 OpenScape Branch V10 >=R3.3.0 
Atos Unify OpenScape BCFOpenScape BCF V10 before V10 R10.10.0OpenScape BCF V10 >=R10.10.0

Users of these products are recommended to upgrade to the latest versions to prevent these vulnerabilities from getting exploited by threat actors.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.