Grandstream UCM6510 Weak Lockout Vulnerability Allowing Brute Force Attacks

A vulnerability exists in Grandstream Networks UCM6510 versions through 1.0.20.52, due to improper restriction of excessive authentication attempts. The device's weak account lockout mechanism allows attackers to perform unlimited login attempts using different passwords, potentially leading to unauthorized access. This issue is particularly exploitable through the '/cgi' and '/webrtccgi' endpoints, where the system's responses can be manipulated to facilitate brute force attacks.

Impact

The lack of effective account lockout measures enables brute force attacks, allowing attackers to guess passwords and gain unauthorized access to accounts. Additionally, the vulnerability could be combined with other issues, such as user enumeration, to further compromise the system.

Reproduction

To reproduce this vulnerability, send a request to the '/cgi' or '/webrtccgi' endpoints with the 'action=challenge' parameter. A valid user will receive a challenge value and a status code '0', while an invalid user will get a status code '-37' and a decreasing 'remaining_num' value, starting from '5'. Once the challenge value is obtained from a valid user, it can be used with 'action=login' to repeatedly guess passwords. The system will respond with 'status=-37' after multiple failed attempts, indicating weak or missing account lockout.

Remediation

Users can update to Grandstream UCM6510 firmware version 1.0.20.53, which addresses this vulnerability. The update is available on the Grandstream official firmware support page.