CVE-2019-10655

Name of the Vulnerable Software and Affected Versions Grandstream GAC2500 version 1.0.3.35 Grandstream GXP2200 version 1.0.3.27 Grandstream GVC3202 version 1.0.3.51 Grandstream GXV3275 versions prior to 1.0.3.219 Beta Grandstream GXV3240 versions prior to 1.0.3.219 Beta

Description The issue allows unauthenticated remote code execution via shell metacharacters in a "/manager?action=getlogcat" priority field. This is done in conjunction with a buffer overflow, via the phonecookie cookie, to overwrite a data structure and consequently bypass authentication. The exploitation can occur remotely or via CSRF, as the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.

Recommendations For Grandstream GAC2500 version 1.0.3.35, update to a version that fixes the issue. For Grandstream GXP2200 version 1.0.3.27, update to a version that fixes the issue. For Grandstream GVC3202 version 1.0.3.51, update to a version that fixes the issue. For Grandstream GXV3275 versions prior to 1.0.3.219 Beta, update to version 1.0.3.219 Beta or later. For Grandstream GXV3240 versions prior to 1.0.3.219 Beta, update to version 1.0.3.219 Beta or later. As a temporary workaround, consider restricting access to the "/manager?action=getlogcat" endpoint until a patch is available. Avoid using the phonecookie cookie in the affected API endpoint until the issue is resolved.