Rapid7 identifies Fuze vulnerabilities

Flaws could be used to view details and brute-force account authentication

Unified communcations vendor Fuze has fixed multiple vulnerabilities in its TPN Handset Portal,which could be used to view personal details, 'sniff' security-critical data and brute-force accounts.

A user of Rapid7 (a Fuze customer) discovered the vulnerabilities in April. Although only recently announced, they were fixed in May.

The first vulnerability, known as R7-2017-07.1 (Improper Access Control), could use MAC addresses associated with registered handsets of Fuze users to craft a URL that revealed personal information. Email addresses, account details, Fuze phone number and the administration portal link would all be visible to the attacker.

The total possible MAC address space is large, but the practical space is much smaller, as the attacker would only need to target Polycom and Yealink phones. These are Fuze's officially-supported phone brands. The organisational unique identifier (OUI), a code at the start of MAC addresses which identifies a product's vendor, helped to narrow down possible targets.

The personal URL crafted using the above vulnerability would prompt for a password over an unencrypted connection between the handset and TPN portal. If an attacker could intercept network traffic while the handset booted up, they would be able to view the content of requests to the portal - including the administration code. This is the second exploit, R7-2017-07.2 (Cleartext Transmission of Sensitive Information).

If an attacker was not watching network traffic during the handset boot, they could still determine the administration portal URL by MAC enumeration, as mentioned in R7-2017-07.1. With that URL, they could attempt various access codes until they were successful, as the authentication attempts were not limited. This was known as R7-2017-07.3 (Improper Restriction of Excessive Authentication Attempts).

All of the above issues have now been fixed, by requiring a password to access the TPN portal; by encrypting traffic to the portal; and by limiting authentication attempts to the portal. MAC enumeration to find administration portal URLs is also no longer possible.

Fuze said that it 'has no evidence of any bad actors exploiting this vulnerability to compromise customer data', and thanked Rapid7 for its work.