CVE-2019-7632 in Team
Summary
by MITRE
LifeSize Team, Room, Passport, and Networker 220 devices allow Authenticated Remote OS Command Injection, as demonstrated by shell metacharacters in the support/mtusize.php mtu_size parameter. The lifesize default password for the cli account may sometimes be used for authentication.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2020
The vulnerability identified as CVE-2019-7632 represents a critical authenticated remote operating system command injection flaw affecting LifeSize video conferencing and communication devices including Team, Room, Passport, and Networker 220 models. This vulnerability resides within the support/mtusize.php web script where the mtu_size parameter accepts user input without proper sanitization or validation, creating a direct pathway for command injection attacks. The flaw operates under CWE-77 which categorizes improper neutralization of special elements used in OS commands, making it particularly dangerous as it allows attackers to execute arbitrary system commands with the privileges of the affected application. Security researchers have demonstrated that this vulnerability can be exploited through the inclusion of shell metacharacters in the mtu_size parameter, enabling attackers to gain unauthorized access to the underlying operating system.
The operational impact of this vulnerability extends beyond simple command execution as it provides attackers with persistent access to critical communication infrastructure within enterprise environments. Attackers leveraging this vulnerability can potentially escalate privileges, access sensitive network information, modify device configurations, or even establish persistent backdoors within the network. The presence of default credentials for the cli account significantly amplifies the risk as it reduces the attack surface required for exploitation, allowing attackers to authenticate with minimal effort before attempting command injection. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under T1059 for command and script injection, and T1078 for valid accounts, as it leverages both authenticated access and legitimate system accounts to execute malicious commands.
Organizations utilizing LifeSize devices must implement immediate mitigations to address this vulnerability, including applying vendor-provided security patches, disabling unnecessary web services, and implementing network segmentation to limit access to these devices. The recommended approach involves changing default credentials immediately, implementing strict input validation for all web parameters, and conducting thorough network monitoring for suspicious command execution patterns. Device administrators should also consider implementing network access controls to restrict access to the support/mtusize.php endpoint and ensure that only authorized personnel can access these critical system interfaces. Additionally, organizations should perform regular security assessments to identify similar vulnerabilities in other networked devices and establish incident response procedures to quickly address potential exploitation attempts. The vulnerability highlights the importance of secure coding practices and input validation in embedded systems, particularly those handling network communications and user inputs in enterprise environments.