All major Canadian internet service providers (ISPs) have patched a vulnerability this week in their telecommunications relay services (TRSs).
TRS systems, or IP-relays, are telco-provided services that allow people with disabilities —such as deafness or speech disorders— to place calls to standard telephone users via keyboards or other assistive devices.
They are not critical equipment inside a telco's network, but they are there, among the tens of other systems running on an ISP's infrastructure, meaning they are part of the attack surface and they need to be properly secured.
On Saturday, August 19, Dominik Penner and Manny Mand, two security researchers with Project Insecurity, revealed that TRS systems developed by Soleo Communications were impacted by a local file disclosure vulnerability.
The two explained that this vulnerability, caused by improper input sanitization, allows an attacker to determine what files are stored on a TRS system, and then access the files via its web interface.
Penner and Mand believe an attacker would be able to use this vulnerability to retrieve source code files present on the TRS system or the underlying web server.
"Within the source code lies passwords which allow the servlet to communicate with other services, such as SQL/LDAP," the two said in a report published over the weekend. "An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack."
Using simple Google dorks (specially crafted search queries), the two discovered several ISPs running Soleo's TRS software.
The biggest concentration of TRS systems was in Canada, where researchers found several telcos running the vulnerable software, including the country's biggest ISPs, such as Rogers, Telus, and BCE. The full list is below. The listed ISPs serve over 30 million Canadians.
"A determined attacker (APT/foreign entity) could leverage this vulnerability to steal passwords from configuration files across multiple providers, compromise said providers using the stolen passwords, and then potentially launch a large scale identity theft operation against Canadians," the two said.
"Seeing as Canada’s federal elections are coming up in 2019, this vulnerability could have had detrimental effects for Canadian citizens who confide in these providers to safeguard their identity," Penner and Mand added.
While initially there seemed to be miscommunication between the two Project Insecurity researchers and Soleo, a day after the two publicly published their findings, all major Canadian ISPs had patched their TRS systems, it was revealed in a tweet.
All of the major Canadian ISP's have now updated to SOLEO's new patch. This is good. The way disclosure was handled? Not so good. We will blog about this tomorrow to explain the situation in more detail and a few issues that we have.— PROJECT INSECURITY (@insecurity) August 19, 2018