Researchers spot mutiple security vulnerabilities in Grandstream devices

• Affected devices include IP video phones, routers, and video conferencing units made by Grandstream Networks.
• Both authenticated and unauthenticated remote code execution vulnerabilities were found in these devices.

Grandstream Networks, which manufactures a wide range of video conferencing and surveillance related products, was found to have multiple remote code execution (RCE) flaws in some of its devices.

The bugs were discovered by the security company Trustwave Holdings last week. The company has also released an advisory addressing these flaws which can render the devices inaccessible due to the exploits.

Worth noting

• Unauthenticated RCE flaws were found on the following products: GAC2500 (Conference phone), GVC3202 (Video-conferencing unit), GXP2200 (VoIP phone), GXV3275 (VoIP phone) and GXV3240 (VoIP phone).
• Authenticated RCE flaws were found on the following products: GXV3611IR_HD (Security camera), UCM6204 (IP PBX), GXV3370 (VoIP phone), WP820 (WiFi phone), GWN7000 (Router), and GWN7610 (Wireless access point).
• Attackers could gain unauthorized access to these devices and install malware. In addition, the cameras and microphones could be tapped in to eavesdrop on conversations.
• The number of vulnerable devices summed up to over 135,000 when searched on Shodan.

Why it matters - Brendan Scarvell, Senior Security Consultant at Trustwave SpiderLabs, told ThreatPost that the aforementioned devices actually contain RCE flaws when they are sold.

“The most notable aspect of the vulnerabilities is what you can do simply by using the programs that get shipped on the device, This includes playing audio through the speakers, recording conversations through the microphone, activating cameras and taking photos, installing custom software/malware etc. This is pretty bad for places such as boardrooms or executive offices where confidential conversations frequently happen,” Scarvell emphasized.

What to do to protect yourself - The latest firmware version for all the affected devices fixes the RCE flaw. However, Trustwave said that the GAC2500 conferencing phone could still be exploited after the update.

Grandstream is yet to resolve this issue and come up with a new patch. Users are advised to turn on automatic updates in these devices as well as limit using end-of-life products.