Alcatel-Lucent Security Advisory: CVE-2020-1179 (RCE)OTMS remote code executionI have discovered a vulnerability in OpenTouch Multimedia Services, making it possible for an attacker with administration rights to execute code on the server via web requests with high privileges. Description of the vulnerabilityCgi script vmconstruct.cgi is vulnerable to shell command injection attacks through HTTP POST request. An attacker with an OT administrator cookie can inject arbitrary OS command using semicolon (;) character in the web request. ImpactsOS command injection vulnerabilities can lead to elevate shell access on OT server for the attacker.
Reference: CVE-2020-11794
Date: April 15th, 2020
Risk: High
Impact: Get access
Attack expertise: Skilled, Administrative user
Attack requirements: Remote
CVSS score: 8.0 (HIGH)https://www.al-enterprise.com/-/media/assets/internet/documents/sa-c0066-otms_rce_vulnerability.pdf