Sign-up

ID

VAR-201109-0091


CVE

CVE-2011-2762


TITLE

LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability

Trust: 0.8

sources: CERT/CC: VU#213486

DESCRIPTION

The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) allows remote attackers to bypass authentication via unspecified data associated with a "true" authentication status, related to AMF data and the LSRoom_Remoting.authenticate function in gateway.php. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability. Exploiting these issues could allow an attacker to bypass authentication or execute arbitrary commands in the context of the application. LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable. Unauthenticated OS command injection is possible through the web interface. The easiest way to perform these attacks is using a web proxy. Authentication By Pass: ----------------------- Following the request to /gateway.php that references the LSRoom_Remoting.authenticate function, modify the AMF data in the response from the server to change "false" to "true" Example: Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00" Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01" Command Injection: ------------------ The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand within the encoded AMF data. The original parameter for the vulnerable function is "pref -l /var/system/upgrade/status" Replace this part with the command to be executed. Authentication to the web application is not necessary however a valid PHP session ID must be passed within the request. References: ----------- CVE-2011-2762 - authentication bypass CVE-2011-2763 - OS command injection

Trust: 3.24

sources: NVD: CVE-2011-2762 // CERT/CC: VU#213486 // JVNDB: JVNDB-2011-002226 // CNVD: CNVD-2011-3535 // BID: 49330 // PACKETSTORM: 104535

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2011-3535

AFFECTED PRODUCTS

vendor:lifesizemodel:room appliance softwarescope:eqversion:ls_rm1_3.5.3

Trust: 1.6

vendor:lifesizemodel:communications lifesize roomscope:eqversion:3.5.3

Trust: 0.9

vendor:lifesizemodel:communications lifesize roomscope:eqversion:4.7.18

Trust: 0.9

vendor:logitechmodel: - scope: - version: -

Trust: 0.8

vendor:lifesizemodel:roomscope:eqversion:ls_rm1_3.5.3 (11)

Trust: 0.8

sources: CERT/CC: VU#213486 // CNVD: CNVD-2011-3535 // BID: 49330 // JVNDB: JVNDB-2011-002226 // CNNVD: CNNVD-201109-001 // NVD: CVE-2011-2762

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-2762
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#213486
value: 1.36

Trust: 0.8

NVD: CVE-2011-2762
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201109-001
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2011-2762
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: CERT/CC: VU#213486 // JVNDB: JVNDB-2011-002226 // CNNVD: CNNVD-201109-001 // NVD: CVE-2011-2762

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2011-002226 // NVD: CVE-2011-2762

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201109-001

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201109-001

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2011-002226

PATCH
title:LifeSize Roomurl:http://www.lifesize.com/Products/Video/LifeSize_Room_Series/Room.aspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2011-002226

EXTERNAL IDS
db:NVDid:CVE-2011-2762
Trust: 3.4
db:BIDid:49330
Trust: 3.3
db:CERT/CCid:VU#213486
Trust: 3.2
db:XFid:69445
Trust: 1.4
db:SREASONid:8364
Trust: 1.0
db:OSVDBid:75211
Trust: 0.8
db:JVNDBid:JVNDB-2011-002226
Trust: 0.8
db:CNVDid:CNVD-2011-3535
Trust: 0.6
db:BUGTRAQid:20110828 LIFESIZE ROOM VULNERABILITIES
Trust: 0.6
db:CNNVDid:CNNVD-201109-001
Trust: 0.6
db:PACKETSTORMid:104535
Trust: 0.1
sources:
            
            
            CERT/CC: VU#213486 // 
            
            
            
            CNVD: CNVD-2011-3535 // 
            
            
            
            BID: 49330 // 
            
            
            
            JVNDB: JVNDB-2011-002226 // 
            
            
            
            PACKETSTORM: 104535 // 
            
            
            
            CNNVD: CNNVD-201109-001 // 
            
            
            
            NVD: CVE-2011-2762

REFERENCES
url:http://www.securityfocus.com/bid/49330
Trust: 3.0
url:http://www.kb.cert.org/vuls/id/213486
Trust: 2.4
url:http://www.securestate.com/documents/lifesize_room_advisory.txt
Trust: 1.6
url:http://xforce.iss.net/xforce/xfdb/69445
Trust: 1.4
url:http://www.securityfocus.com/archive/1/519463/100/0/threaded
Trust: 1.0
url:http://securityreason.com/securityalert/8364
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/69445
Trust: 1.0
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-2762
Trust: 0.8
url:http://jvn.jp/cert/jvnvu213486
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-2762
Trust: 0.8
url:http://osvdb.org/75211
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/519463/100/0/threaded
Trust: 0.6
url:http://www.lifesize.com/products/video/lifesize_room_series/room.aspx
Trust: 0.3
url:https://www.securestate.com
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2011-2762
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2011-2763
Trust: 0.1
sources:
            
            
            CERT/CC: VU#213486 // 
            
            
            
            CNVD: CNVD-2011-3535 // 
            
            
            
            BID: 49330 // 
            
            
            
            JVNDB: JVNDB-2011-002226 // 
            
            
            
            PACKETSTORM: 104535 // 
            
            
            
            CNNVD: CNNVD-201109-001 // 
            
            
            
            NVD: CVE-2011-2762

CREDITS
Spencer McIntyre
Trust: 0.4
sources:
            
            
            BID: 49330 // 
            
            
            
            PACKETSTORM: 104535

SOURCES
db:CERT/CCid:VU#213486
db:CNVDid:CNVD-2011-3535
db:BIDid:49330
db:JVNDBid:JVNDB-2011-002226
db:PACKETSTORMid:104535
db:CNNVDid:CNNVD-201109-001
db:NVDid:CVE-2011-2762

LAST UPDATE DATE
2025-04-11T22:59:26.477000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#213486date:2011-10-19T00:00:00
db:CNVDid:CNVD-2011-3535date:2011-09-07T00:00:00
db:BIDid:49330date:2011-08-26T00:00:00
db:JVNDBid:JVNDB-2011-002226date:2011-09-22T00:00:00
db:CNNVDid:CNNVD-201109-001date:2011-09-05T00:00:00
db:NVDid:CVE-2011-2762date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CERT/CCid:VU#213486date:2011-08-29T00:00:00
db:CNVDid:CNVD-2011-3535date:2011-09-07T00:00:00
db:BIDid:49330date:2011-08-26T00:00:00
db:JVNDBid:JVNDB-2011-002226date:2011-09-22T00:00:00
db:PACKETSTORMid:104535date:2011-08-28T21:18:57
db:CNNVDid:CNNVD-201109-001date:2011-09-05T00:00:00
db:NVDid:CVE-2011-2762date:2011-09-02T16:55:04.803