Vulnerability code

All major Canadian internet service providers (ISPs) have patched a vulnerability this week in their telecommunications relay services (TRSs).

TRS systems, or IP-relays, are telco-provided services that allow people with disabilities —such as deafness or speech disorders— to place calls to standard telephone users via keyboards or other assistive devices.

They are not critical equipment inside a telco's network, but they are there, among the tens of other systems running on an ISP's infrastructure, meaning they are part of the attack surface and they need to be properly secured.

Soleo TRS systems impacted by simple flaw

On Saturday, August 19, Dominik Penner and Manny Mand, two security researchers with Project Insecurity, revealed that TRS systems developed by Soleo Communications were impacted by a local file disclosure vulnerability.

The two explained that this vulnerability, caused by improper input sanitization, allows an attacker to determine what files are stored on a TRS system, and then access the files via its web interface.

Penner and Mand believe an attacker would be able to use this vulnerability to retrieve source code files present on the TRS system or the underlying web server.

"Within the source code lies passwords which allow the servlet to communicate with other services, such as SQL/LDAP," the two said in a report published over the weekend. "An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack."

All major Canadian ISPs were affected

Using simple Google dorks (specially crafted search queries), the two discovered several ISPs running Soleo's TRS software.

The biggest concentration of TRS systems was in Canada, where researchers found several telcos running the vulnerable software, including the country's biggest ISPs, such as Rogers, Telus, and BCE. The full list is below. The listed ISPs serve over 30 million Canadians.

Bell
Sasktel
Telus
Shaw
Videotron
MTS
Rogers (their services are hosted at iprelayservice.net)
Bell Aliant
Cogeco
Fido (their services are hosted at iprelayservice.net)
Koodo (their services are hosted at iprelayservice.net)
Chatr (their services are hosted at iprelayservice.net)
AllStream
EastLink

Ideal flaw for APT groups

"A determined attacker (APT/foreign entity) could leverage this vulnerability to steal passwords from configuration files across multiple providers, compromise said providers using the stolen passwords, and then ​potentially​ launch a large scale identity theft operation against Canadians," the two said.

"Seeing as Canada’s federal elections are coming up in 2019, this vulnerability could have had detrimental effects for Canadian citizens who confide in these providers to safeguard their identity," Penner and Mand added.

While initially there seemed to be miscommunication between the two Project Insecurity researchers and Soleo, a day after the two publicly published their findings, all major Canadian ISPs had patched their TRS systems, it was revealed in a tweet.

Related Articles:

Western Digital Releases Hotfix for My Cloud Auth Bypass Vulnerability

0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs

Google Error Causes Widespread Internet Outage in Japan

Cisco Releases 16 Security Alerts Rated Critical and High