The following advisory describes 2 (two) vulnerabilities found in DblTek webserver.
DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 16, and 32-channel in order to meet the wide range of market demands. All our products are priced very attractively and probably the lowest in the market. Because of the price and performance, GoIPs have been widely adopted by system integrators, VoIP service providers, and many other business and individual users.”
The vulnerabilities found are:
- Pre-authentication Information Disclosure
- Command Execution
It is possible to combine the 2 vulnerabilities and gain unauthenticated remote command execution.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
DblTek has released patches to address those vulnerabilities.
Continue reading SSD Advisory – DblTek Multiple Vulnerabilities