Vulnerability code

All major Canadian internet service providers (ISPs) have patched a vulnerability this week in their telecommunications relay services (TRSs).

TRS systems, or IP-relays, are telco-provided services that allow people with disabilities —such as deafness or speech disorders— to place calls to standard telephone users via keyboards or other assistive devices.

They are not critical equipment inside a telco's network, but they are there, among the tens of other systems running on an ISP's infrastructure, meaning they are part of the attack surface and they need to be properly secured.

Soleo TRS systems impacted by simple flaw

On Saturday, August 19, Dominik Penner and Manny Mand, two security researchers with Project Insecurity, revealed that TRS systems developed by Soleo Communications were impacted by a local file disclosure vulnerability.

The two explained that this vulnerability, caused by improper input sanitization, allows an attacker to determine what files are stored on a TRS system, and then access the files via its web interface.

Penner and Mand believe an attacker would be able to use this vulnerability to retrieve source code files present on the TRS system or the underlying web server.

"Within the source code lies passwords which allow the servlet to communicate with other services, such as SQL/LDAP," the two said in a report published over the weekend. "An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack."

All major Canadian ISPs were affected

Using simple Google dorks (specially crafted search queries), the two discovered several ISPs running Soleo's TRS software.

The biggest concentration of TRS systems was in Canada, where researchers found several telcos running the vulnerable software, including the country's biggest ISPs, such as Rogers, Telus, and BCE. The full list is below. The listed ISPs serve over 30 million Canadians.

Rogers (their services are hosted at
Bell Aliant
Fido (their services are hosted at
Koodo (their services are hosted at
Chatr (their services are hosted at

Ideal flaw for APT groups

"A determined attacker (APT/foreign entity) could leverage this vulnerability to steal passwords from configuration files across multiple providers, compromise said providers using the stolen passwords, and then ​potentially​ launch a large scale identity theft operation against Canadians," the two said.

"Seeing as Canada’s federal elections are coming up in 2019, this vulnerability could have had detrimental effects for Canadian citizens who confide in these providers to safeguard their identity," Penner and Mand added.

While initially there seemed to be miscommunication between the two Project Insecurity researchers and Soleo, a day after the two publicly published their findings, all major Canadian ISPs had patched their TRS systems, it was revealed in a tweet.

Related Articles:

Microsoft Patches Windows Zero-Day Exploited in Cyber Attacks

Adobe Releases Security Update for Acrobat Vulnerability with Public PoC

Microsoft November 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

Microsoft October 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

Google Services Unreachable After Traffic Hijacking