CVE-2022-22845 – CVE-2022-22845 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2022-22845?

CVE-2022-22845 has a CVSS score of 9.8 (CRITICAL). CVE-2022-22845 is a critical authentication bypass vulnerability in QXIP SIPCAPTURE homer-app where all installations share the same hardcoded JWT secret key. This allows attackers to forge valid authentication tokens and gain unauthorized access to HOMER 7.x systems. All customers using affected versions are vulnerable regardless of their specific configuration.

📋 TL;DR

CVE-2022-22845 is a critical authentication bypass vulnerability in QXIP SIPCAPTURE homer-app where all installations share the same hardcoded JWT secret key. This allows attackers to forge valid authentication tokens and gain unauthorized access to HOMER 7.x systems. All customers using affected versions are vulnerable regardless of their specific configuration.

💻 Affected Systems

Products:

QXIP SIPCAPTURE homer-app

Versions: All versions before 1.4.28 for HOMER 7.x

Operating Systems: All platforms running HOMER

Default Config Vulnerable: ⚠️ Yes

Notes: All installations are affected due to the hardcoded secret key being identical across all customer deployments.

📦 What is this software?

Homer Webapp by Qxip

View all CVEs affecting Homer Webapp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to access sensitive SIP call data, modify configurations, execute arbitrary code, and potentially pivot to other systems in the network.

🟠

Likely Case

Unauthorized access to SIP monitoring data, call interception, data exfiltration, and potential privilege escalation within the HOMER system.

🟢

If Mitigated

Limited impact if proper network segmentation, strict access controls, and monitoring are in place to detect anomalous authentication attempts.

🌐 Internet-Facing: HIGH - Any internet-facing HOMER installation is immediately vulnerable to remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internal-only deployments are vulnerable to insider threats or attackers who gain initial network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers can generate valid JWT tokens using the publicly known secret key without any special tools or skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.28

Vendor Advisory: https://github.com/sipcapture/homer-app/commit/7f92f3afc8b0380c14af3d0fc1c365318a2d1591

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Update homer-app to version 1.4.28 or later. 3. Restart the homer-app service. 4. Regenerate all JWT tokens as old tokens will be invalidated.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to HOMER systems to only trusted IP addresses

iptables -A INPUT -p tcp --dport [HOMER_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [HOMER_PORT] -j DROP

Reverse Proxy with Authentication

all

Place HOMER behind a reverse proxy with additional authentication layer

🧯 If You Can't Patch

Immediately isolate the HOMER system from untrusted networks and internet access
Implement strict network monitoring for authentication attempts and JWT token usage

🔍 How to Verify

Check if Vulnerable:

Check if homer-app version is below 1.4.28 by examining package version or checking for the hardcoded JWT secret in configuration files

Check Version:

dpkg -l | grep homer-app  # Debian/Ubuntu or check package manager for your distribution

Verify Fix Applied:

Verify homer-app version is 1.4.28 or later and confirm JWT tokens are now using unique, installation-specific secrets

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful logins
Multiple JWT token generation from unusual IP addresses
Access patterns inconsistent with normal user behavior

Network Indicators:

JWT tokens in requests matching the known hardcoded secret pattern
Authentication bypass attempts to HOMER endpoints

SIEM Query:

source="homer-app" AND (event="authentication" OR event="jwt") AND (status="success" FROM suspicious_ip OR token_pattern="167f0db2")

📊 Metadata

CVE ID: CVE-2022-22845

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: January 10, 2022

Last Updated: November 21, 2024

🔗 References

http://sipcapture.org Vendor Advisory
https://github.com/sipcapture/homer Third Party Advisory
https://github.com/sipcapture/homer-app/commit/7f92f3afc8b0380c14af3d0fc1c365318a2d1591 Patch,Third Party Advisory
https://github.com/sipcapture/homer-app/compare/1.4.27...1.4.28 Patch,Third Party Advisory
http://sipcapture.org Vendor Advisory
https://github.com/sipcapture/homer Third Party Advisory
https://github.com/sipcapture/homer-app/commit/7f92f3afc8b0380c14af3d0fc1c365318a2d1591 Patch,Third Party Advisory
https://github.com/sipcapture/homer-app/compare/1.4.27...1.4.28 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22845, you might also want to check these: