search menu icon-carat-right cmu-wordmark

CERT Coordination Center


LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability

Vulnerability Note VU#213486

Original Release Date: 2011-08-29 | Last Revised: 2011-10-19

Overview

LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients.

Description

According to LifeSize's website "LifeSize Room combines an immersive, high definition video experience with a rich set of features to deliver a powerful, flexible, and easy-to-use video communication solution."

The LifeSize Room appliance contains an embedded web interface that allows administrative access to the appliance. This web interface fails to sanitize input from unauthenticated clients leading to an authentication bypass and possibly arbitrary code injection.

Using a proxy tool to intercept traffic between the attacker and the LifeSize Room appliance web interface, an unauthenticated attacker makes a request to the gateway.php web page that references the LSRoom_Remoting.authenticate function. The attacker can modify the Action Message Format (AMF) data in the response from the server, changing the value from "false" to "true" allowing the attacker to bypass the appliance web interface authentication.

An additional vulnerability exists when an unauthenticated attacker makes a request to the gateway.php web page that references the LSRoom_Remoting.doCommand function. Using a proxy tool to intercept traffic between the attacker and the LifeSize Room appliance system web interface, the attacker can modify the AMF data in the original parameter "pref -l /var/system/upgrade/status" in the vulnerable LSRoom_Remoting.doCommand function to be an arbitrary command that will run with the permission of the webserver.

According to the vulnerability reporter LifeSize Room LS_RM1_3.5.3 (11) and 4.7.18 is vulnerable, and possibly other versions.

Impact

A remote, unauthenticated attacker can bypass the authentication of the administrative web interface and possibly inject arbitrary code in the administrative system web interface.

Solution

Update

Logitech has stated that this vulnerability has been addressed in the latest firmware. Depending on the affected LifeSize Room appliance model the fixed versions are: 4.7.19, 4.8.1, and 4.8.6.

Restrict network access

Restrict network access to the LifeSize Room appliance administrative interface and other devices using open protocols like HTTP (tcp/80) or HTTPS (tcp/443).

Vendor Information

213486
Expand all

Logitech

Notified:  July 21, 2011 Updated:  October 19, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Depending on the affected LifeSize Room appliance model the fixed versions are: 4.7.19, 4.8.1, and 4.8.6.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Spencer McIntyre of SecureState for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2011-2762, CVE-2011-2763
Severity Metric: 1.36
Date Public: 2011-08-29
Date First Published: 2011-08-29
Date Last Updated: 2011-10-19 12:25 UTC
Document Revision: 26

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.