Grandstream UCM6510 User Enumeration Vulnerability

A user enumeration vulnerability has been identified in the Grandstream UCM6510 VoIP device, specifically in versions through 1.0.20.52. This vulnerability allows remote attackers to obtain sensitive information by sending login requests to the device's '/cgi' and '/webrtccgi' endpoints. The UCM6510 responds with different status codes depending on whether a username exists, enabling attackers to enumerate valid usernames.

Impact

This vulnerability could lead to information disclosure by allowing attackers to identify valid usernames, which could be used for further attacks such as brute force attempts or account takeover.

Reproduction

To reproduce this vulnerability, send a request to the '/cgi' or '/webrtccgi' endpoint with the 'action' parameter set to either 'challenge' or 'login'. The response will include a status code that indicates whether the username is valid. A status code of '0' means the user is valid, '-37' indicates no user found for 'action=challenge', and '-6' indicates no user found for 'action=login'.

Remediation

Users can update to Grandstream UCM6510 firmware version 1.0.20.53, which addresses this vulnerability. The firmware is available on the Grandstream support page. Additionally, UCM630X users can update to version 1.0.29.11.