(Pic: Monty Rakusen/GettyImages)
Managed security service provider Trustwave has today published details of a command injection vulnerability impacting a number of Lifesize video conferencing products. The impacted products are those within the 10-year-old Lifesize 220 series system range.
This zero-day threat could enable a threat actor to use PHP files within the Lifesize support section, along with default passwords that are shipped with Lifesize products, to gain an initial foothold within the corporate environment where those products are located.
Combining the Trustwave zero-day with a previously disclosed privilege escalation vulnerability would bring the possibility of root privileges on the Lifesize product system, along with full persistence on that device and the underlying network.
Trustwave responsibly disclosed details of the fairly trivial vulnerability to Lifesize back in November, and having had no response reached out through the support channel in early January.
As well as providing Lifesize a link to that earlier privilege escalation bug, the Trustwave researchers also included a proof of concept exploit written in Python that achieved full remote code execution (RCE) on the impacted products. By taking an argument (an IP of the Lifesize product) and attempting to connect with the default credentials, they were able to craft a malicious request which injected code with a payload that escalated from Apache user into root and spawned a reverse shell with root privileges.
The response that Trustwave initially got from one of the global support engineers at Lifesize was that these were legacy devices at an end-of-sale point with end-of-life dates announced. That reply stated that "our developers are aware of some known vulnerabilities with the systems" but "development for these devices has slowed significantly as they are end of life". The support engineer went on to state that "for devices that are still under support, we may target future releases".
Initially, despite all this proof, Lifesize did not patch either of these vulnerabilities, leaving those Lifesize devices and Lifesize customers using them vulnerable to exploitation, according to Trustwave. With thousands of these devices accessible to the internet, a Shodan search uncovered 372 such devices in universities alone, and likely many more residing on internal networks, indicating the scale of the risk.
SC Media UK contacted the Lifesize press team this morning, and they gave us a statement that was still in preparation:
"After first learning of this flaw and conducting our initial investigation, Lifesize engineering confirmed that the vulnerability applied only to 220 Series systems tampered with from within the organisation’s firewall – the systems are not believed to be vulnerable to outside attack.
"The reported vulnerability does not allow for remote tampering, and at no time has customers’ media been exposed or compromised due to a known exploit from outside of the organisation. There are zero known instances of a 220 Series system being compromised using this exploit method, nor do we have any reason to believe current customers have been impacted, but we are actively looking into it.
"We encourage all customers using Lifesize 220 Series systems to contact Lifesize support for a hotfix. Our support teams can be reached by telephone, email or by opening a support ticket. For more information, visit: https://www.lifesize.com/en/support/contact-support."
Bobby Beckmann, chief technology officer at Lifesize, said, "In rare instances when security flaws are found in our current lineup of products, they are addressed and patched within a matter of weeks, if not days."
He added: "While we’re committed to providing maintenance and support to our 220 Series system, it is a 10-year-old product and many of our customers are moving towards more modern technology."
This does, however, opens the door to the question of when the security responsibility for legacy 'end of life' products passes to the enterprise in such circumstances? SC decided to ask the industry.
Martin Jartelius, CSO of Outpost24, was blunt in his support for Lifesize’s position, telling SC Media UK, "The entire point of end-of-support and end-of-life is that at some point the device is considered to be past its life expectancy. Organisations should stay well clear of end-of-life devices, and where they cannot be replaced then isolate them."
Mary-Jo de Leeuw, director of cybersecurity advocacy EMEA at ISC2, agreed that once end of life has arrived then "the enterprise has to take on the burden of responsibility for ensuring the safety and reliability of the legacy system and any data within it. It also means that, in many cases, the responsible action is to decommission it and replace it with something that is still manufacturer supported."
Rod Soto, head of security research with JASK, says there "should be a mechanism, or industry regulation, that informs and warns end users or enterprises that devices are reaching end of life." Something like the French proposals for publishing the source code of end of life commercial software perhaps?
"This solution is not without its issues," notes Tim Mackey, technical evangelist at Synopsys, "most notably the handling of patented processes and trade secrets along with an assumption the requisite skill set exists within a willing open source development community, but it does present an interesting option for legacy software management."
However, others take a zero-trust approach to all hardware, saying forget end of life, at the end of the day there are simply no products that can guarantee zero vulnerabilities or coding flaws.
"To be thorough, a business should build a threat model, taking into consideration potential problems with the hardware," advises Dmitry Sklyarov, head of reverse engineering at Positive Technologies. "Then plan the options for solving situations involving 0-day, end-of-life or other issues."