Vulnerability Details : CVE-2018-11518
A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece).
Vulnerability category: Input validation
Products affected by CVE-2018-11518
- cpe:2.3:o:hcltech:legacy_ivr_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11518
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11518
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2018-11518
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11518
-
http://virgil-cj.blogspot.com/2018/05/0day-legacy-ivr-lets-phreak.html
A Virgil's Guide to Pentest: 0day - Legacy IVR - Let's PhreakThird Party Advisory
-
https://datarift.blogspot.com/2018/05/CVE-2018-11518-abusing-ivr-systems.html
Abusing IVR Systems - Legacy Telecom [CVE-2018-11518] ~ inputzeroThird Party Advisory
-
https://twitter.com/mishradhiraj_/status/1001664204485652482
Dhiraj on Twitter: "Yes there is no boundry crossing here and it does follow the flow but the flow is controlled by someone else not the user who has initiated the call. Select 1 for English is just aThird Party Advisory
-
https://twitter.com/mishradhiraj_/status/1001664440759091207
Dhiraj on Twitter: "The IVR nowadays includes multiple functionalities like recharges and subscriptions for services which can also be done even with modern Telecom operators. #DiggingOldSys… https://Third Party Advisory
Jump to