Vulnerability in IP Relay Service Impacts Major Canadian ISPs
21.8.18 securityweek
Vulnerebility

A recently addressed local file disclosure vulnerability in the SOLEO IP Relay service impacted nearly all major Internet service providers (ISPs) in Canada, a security researcher has discovered.

Also known as telecommunications relay services (TRSs), the IP relays developed by Soleo Communications are available through all major ISPs in Canada.

The cloud-based IP Relay service was launched over half a decade ago to allow hearing-impaired individuals and those with speech disorders to place calls through a TTY (text terminal) or other assistive telephone device.

Because of improper input sanitization, these services exposed sensitive user information, Project Insecurity researcher Dominik Penner discovered.

In a report (PDF) published late last week, the security researcher explains that the security flaw could be abused to determine the layout of the IPRelayApp directory and find the location of the source files on the IP Relay server. All of the discovered files could then be downloaded by an attacker, the researcher says.

The files were found to be classes compiled in Java bytecode, but “a determined attacker would easily be able to convert this directly back to source, compromising source code and other sensitive files,” Penner points out.

The source code also includes passwords the servlet uses to communicate with other services and an attacker able to extract these passwords could then either escalate their privileges on the server or abuse the extracted information in social engineering attacks.

“The end result could be escalated to yield remote code execution, though we were not comfortable attempting to do this before getting in contact with the vendor,” the researcher notes.

Working in collaboration with security researcher Manny Mand, Penner discovered that at least ten Canadian ISPs were running the vulnerable instance of Soleo’s IP Relay. Six of these, Penner says, are the largest telecom providers in Canada.

“[W]e have confirmed that a determined attacker (APT/foreign entity) could leverage this vulnerability to steal passwords from configuration files across multiple providers, compromise said providers using the stolen passwords, and then potentially​ launch a large scale identity theft operation against Canadians,” the researcher says.

An attacker exploiting the vulnerability could compromise over 30 million Canadian records, he said.

The bug was reported to the vendor on July 19 and was confirmed as patched on August 10.