Polycom HDX Series Command Injection Vulnerability in Telnet Interface Allowing Remote Code Execution

A command injection vulnerability has been identified in the Polycom HDX Series video conferencing systems, specifically within the command shell interface accessed via Telnet. This vulnerability allows authenticated attackers to execute arbitrary system commands with root privileges. The issue arises in the 'lan traceroute' command, which accepts unsanitized input, enabling the injection of shell metacharacters. Exploitation is possible on systems with Telnet access enabled, either allowing unauthenticated access or where credentials are known.

Impact

Exploitation of this vulnerability leads to unauthorized command execution on the affected system, with the executed commands running under the context of the root user.

Reproduction

The vulnerability can be reproduced by first authenticating to the Polycom HDX command shell via Telnet. Once authenticated, the 'devcmds' command can be issued to access a mode that allows for command injection through the 'lan traceroute' command. By injecting commands using the Internal Field Separator (IFS) to bypass input validation, arbitrary commands can be executed on the system.

Remediation

Polycom has released a hotfix for this vulnerability. Users can refer to the Polycom Security Advisory for details on applying the update.