Researchers at Trustwave are warning Vulnerability-related.DiscoverVulnerability of a hidden backdoor in VoIP devices produced by Chinese manufacturer DBL Technology which could allow access by the manufacturer or malicious third parties . The issue is with the authentication process , allowing a remote attacker to gain a shell with root privileges on an affected device , Trustwave researcher Neil Kettle explained Vulnerability-related.DiscoverVulnerability in a blog post . “ The Telnet interface of the GoIP is documented as providing information for users of the device through the use of logins ‘ ctlcmd ’ and ‘ limitsh ’ . However , an additional undocumented user , namely ‘ dbladm ’ is present which provides root level shell access on the device . Instead of a traditional password , this account is protected by a proprietary challenge-response authentication scheme , ” he explained . “ Investigation has shown this scheme to be fundamentally flawed in that it is not necessary for a remote user to possess knowledge of any secret besides the challenge itself and knowledge of the protocol/computation ” . This is apparently in contrast to more secure challenge-response schemes such as password-based log-ins where the user is asked for a password , which is then obscured to guard against “ network interception and replay attacks ” . The issue was first spotted Vulnerability-related.DiscoverVulnerability by Trustwave in an 8 port VoIP GSM Gateway from the company . However , it ’ s since been discovered Vulnerability-related.DiscoverVulnerability present in GoIP 1 , 4 , 8 , 16 and 32 and could affect Vulnerability-related.DiscoverVulnerability many more DBL Technology devices and OEM kit . More worryingly , when contacted last October , the firm did not fix Vulnerability-related.PatchVulnerability the issue . “ Verification of the patched version reveals that the challenge response mechanism is still present in the latest version albeit a little more complex . It seems DBL Technology engineers did not understand that the issue is the presence of a flawed challenge response mechanism and not the difficulty of reverse engineering it , ” explained Kettle . “ The main differences between the latest challenge response mechanism and the older variant is the level of complexity it employs : a simplistic MD5 with a linear equation changed to several 'round ' functions mixed with a modified version of the MD5 hash algorithm ”

In a string of attacks that have escalated over the past 48 hours , hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks , government agencies , and large Internet companies . The code-execution bug resides in Vulnerability-related.DiscoverVulnerability the Apache Struts 2 Web application framework and is trivial to exploit . Although maintainers of the open source project patched Vulnerability-related.PatchVulnerability the vulnerability on Monday , it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update , researchers are warning Vulnerability-related.DiscoverVulnerability . Making matters worse , at least two working exploits are publicly available . `` We have dedicated hours to reporting to companies , governments , manufacturers , and even individuals to patch Vulnerability-related.PatchVulnerability and correct the vulnerability as soon as possible , but the exploit has already jumped to the big pages of 'advisories , ' and massive attempts to exploit the Internet have already been observed . '' Researchers at Cisco Systems said they are seeing a `` high number of exploitation events '' by hackers attempting to carry out a variety of malicious acts . One series of commands that attackers are injecting into webpages stops the firewall protecting the server and then downloads and executes malware of the attacker 's choice . The payloads include `` IRC bouncers , '' which allow the attackers to hide their real IP address during Internet chats ; denial-of-service bots ; and various other packages that conscript a server into a botnet . `` These are several of the many examples of attacks we are currently observing and blocking , '' Cisco 's Nick Biasini wrote . `` They fall into two broad categories : probing and malware distribution . The payloads being delivered vary considerably , and to their credit , many of the sites have already been taken down and the payloads are no longer available . '' The vulnerability resides in Vulnerability-related.DiscoverVulnerability what 's known as the Jakarta file upload multipart parser , which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function . Apache Struts versions affected by Vulnerability-related.DiscoverVulnerability the vulnerability include Struts 2.3.5 through 2.3.31 , and 2.5 through 2.5.10 . Servers running any of these versions should upgrade to Vulnerability-related.PatchVulnerability 2.3.32 or 2.5.10.1 immediately . It 's not clear why the vulnerability is being exploited Vulnerability-related.DiscoverVulnerability so widely 48 hours after a patch was released Vulnerability-related.PatchVulnerability . One possibility is that the Apache Struts maintainers did n't adequately communicate the risk . Although they categorize Vulnerability-related.DiscoverVulnerability the vulnerability security rating as high , they also describe Vulnerability-related.DiscoverVulnerability it as posing a `` possible remote code execution '' risk . Outside researchers , meanwhile , have said the exploits are trivial to carry out , are highly reliable , and require no authentication . It 's also easy to scan the Internet for vulnerable servers . It 's also possible to exploit the bug even if a Web application does n't implement file upload functionality . Update 3/9/2017 10:07 California time : In a comment to this post , Ars Technology Editor Peter Bright provides Vulnerability-related.PatchVulnerability a much more plausible explanation for the delay in patching Vulnerability-related.PatchVulnerability this highly critical vulnerability . Most bug fixes Vulnerability-related.PatchVulnerability , he pointed out , require downloading and installing a patch , possibly rebooting a machine , and being done with it .