CVE-2021-45966
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Pascom Cloud Phone System servers by sending shell metacharacters to the /services/apply endpoint in the management REST API. It affects all Pascom Cloud Phone System installations before version 7.20.x. Attackers can gain full control of affected systems.
💻 Affected Systems
- Pascom Cloud Phone System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or disrupt phone services entirely.
Likely Case
Remote code execution leading to installation of backdoors, data exfiltration, or ransomware deployment on vulnerable systems.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the management API.
🎯 Exploit Status
Exploitation is straightforward - sending shell metacharacters to the vulnerable endpoint. Public blog posts detail the vulnerability and exploitation methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.20.x and later
Vendor Advisory: https://www.pascom.net/doc/en/release-notes/
Restart Required: Yes
Instructions:
1. Backup your current configuration. 2. Download Pascom Cloud Phone System version 7.20.x or later from the vendor portal. 3. Follow the vendor's upgrade procedure. 4. Restart the phone system services.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the management REST API endpoints to only trusted administrative IP addresses.
iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
Endpoint Disablement
linuxTemporarily disable or block access to the /services/apply endpoint if not critically needed.
# Modify web server configuration to block /services/apply endpoint
# Example for Apache: RewriteRule ^/services/apply - [F,L]
# Example for Nginx: location /services/apply { deny all; }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the phone system management interface from untrusted networks
- Deploy a web application firewall (WAF) with rules to block shell metacharacters in API requests
🔍 How to Verify
Check if Vulnerable:
Check the Pascom Cloud Phone System version via the web interface or by examining installed packages. If version is below 7.20.x, the system is vulnerable.Check Version:
Check web interface admin panel or run: dpkg -l | grep pascom (on Debian/Ubuntu) or rpm -qa | grep pascom (on RHEL/CentOS)Verify Fix Applied:
Verify the system is running version 7.20.x or later and test that shell metacharacters sent to /services/apply endpoint no longer execute commands.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /services/apply endpoint containing shell metacharacters like ;, |, &, $, (, ), `
- Unexpected process execution from web server user context
- Failed authentication attempts followed by API exploitation
Network Indicators:
- HTTP POST requests to /services/apply containing shell metacharacters in parameters
- Unusual outbound connections from the phone system server
SIEM Query:
source="pascom_logs" AND (uri_path="/services/apply" AND (request_body="*;*" OR request_body="*|*" OR request_body="*&*" OR request_body="*`*"))🔗 References
- https://kerbit.io/research/read/blog/4
- https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
- https://www.pascom.net/doc/en/release-notes/
- https://kerbit.io/research/read/blog/4
- https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
- https://www.pascom.net/doc/en/release-notes/
