CVE-2018-11518

{"id": "CVE-2018-11518", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2018-05-30T20:29:00.250", "references": [{"url": "http://virgil-cj.blogspot.com/2018/05/0day-legacy-ivr-lets-phreak.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://datarift.blogspot.com/2018/05/CVE-2018-11518-abusing-ivr-systems.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/mishradhiraj_/status/1001664204485652482", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/mishradhiraj_/status/1001664440759091207", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece)."}, {"lang": "es", "value": "Una vulnerabilidad permite un ataque de phreaking en los sistemas IVR heredados de HCL que no emplean VoIP. Estos sistemas IVR dependen de varias frecuencias de se\u00f1ales de audio; se procesan ciertos comandos y funciones en base a dichas frecuencias. Ya que estas frecuentas se aceptan en una llamada telef\u00f3nica, un atacante puede grabar estas frecuencias y emplearlas para realizar activaciones de servicios. Este es un problema de Request-Forgery cuando la serie de se\u00f1ales DTMF requerida para activar un servicio es predecible (por ejemplo, el sistema IVR no comunica un nonce al llamante). En este caso, el sistema IVR acepta una petici\u00f3n de activaci\u00f3n de un canal menos seguro (cualquier altavoz en el entorno f\u00edsico del llamante) sin verificar que la petici\u00f3n sea intencional (coincide con un nonce que se ha enviado por medio de un canal m\u00e1s seguro al auricular del llamante)."}], "lastModified": "2018-07-20T16:10:52.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hcltech:legacy_ivr_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9B9B1F8-7095-48BD-BAE3-E471BABBA1FA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hcltech:legacy_ivr:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5226101C-AEB5-4660-A9B6-C0F6EB6FA717"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}