Experts found backdoors in a popular Auerswald VoIP appliance

Experts found backdoors in a popular Auerswald VoIP appliance

Researchers found multiple backdoors in popular VoIP (voice over Internet protocol) appliance made by the German manufacturer Auerswald.

Researchers from RedTeam Pentesting discovered multiple backdoors in a popular VoIP (voice over Internet protocol) appliance made by the German manufacturer Auerswald.


The backdoors were discovered as part of penetration testing, they allow attackers to gain full administrative access to the impacted devices.

The researchers performed reverse engineering of the firmware image for the COMpact 5500, version 7.8A that was downloaded from the Auerswald support website. The researchers used Ghidra for their analysis, it is the open-source reverse engineering tool developed by the US National Security Agency (NSA). 

The experts started investigating the password reset functionality that requests access to the web interface.

Digging the code the researchers discovered that the username used for authentication is compared to another string:

iVar5 = strcmp((char *)username,"Schandelah");

“Schandelah” appears to be an undocumented, special username, it is the name of a village in northern Germany where Auerswald produces their devices.

Further analysis of the code revealed that the implementation of strncpy of the manufacturer, auer_strncpy, ensures that the string is properly null-terminated, and the backdoor password actually consists of only seven characters of the MD5 hash.

$ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}'

“So the only secret information an attacker needs to know to generate the password for the user Schandelah is the serial number of the PBX. However, it turns out that this information is not so secret after all, but can be retrieved without authentication from the path /about_state” reads the analysis published by the experts. “Equipped with this password we then could authenticate successfully. After logging in, the web interface showed a special service page, which allowed among other functions to reset the administrator password.”

The backdoor password allowed the experts to reset the administrator password and gain full privileges on the PBX. Then the pen testers looked for invocation of the same password generator in other places of the code.

“This branch of code is executed when the adminstrative username admin is passed. First, the real admin password stored in the variable local_d8 is checked. If the password entered by the user does not match, it is compared again to a “fallback” password generated using the backdoor routine. However, this time, the country code configured for the PBX is read out and passed as an argument.” continues the analysis. Consequently, the fallback password for the admin user is generated with the two letter country code, for example:

$ echo -n 1234123412r2d230.08.2021DE | md5sum | egrep -o '^.{7}'

The admin fallback password provides full-privileged access to the PBX without needing to change the password first.”

The above issue is tracked as CVE-2021-40859 and received a CVSS score of 9.8.

During the pen-testing activity experts also found other vulnerabilities, a read out credentials from a single IP telephone (CVE-2021-40856), which allowed to access the PBX with limited privileges. An attacker can escalate these privileges to “sub-admin” (CVE-2021-40857) to configure the PBX.

RedTeam Pentesting reported the issues to Auerswald on September 10, 2021, and the German manufacturer addressed the issue with the release of a firmware update in November 2021.

“Firmware Update 8.2B contains important security updates that you should definitely apply, even if you don’t need the advanced features.” reads the security advisory published by the vendor. “Recommendation: In addition to installing this update, you should also deactivate direct access from the Internet to the web interface (via port forwarding in the router) for security reasons. Instead, use the Auerswald Remote Access or VPN to access remote ICT systems via the Internet.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Auerswald)

Leave a Reply

Your email address will not be published. Required fields are marked *