The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php.
Recent assessments:
zeroSteiner at January 13, 2020 5:56pm UTC reported:
The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand
within the encoded AMF data. The original parameter for the vulnerable function is βpref -l /var/system/upgrade/statusβ Replace this part with the command to be executed. Authentication to the web application is not necessary however a valid PHP session ID must be passed within the request.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5
securityreason.com/securityalert/8363
securityreason.com/securityalert/8527
www.exploit-db.com/exploits/17743
www.kb.cert.org/vuls/id/213486
www.securestate.com/Documents/LifeSize_Room_Advisory.txt
www.securityfocus.com/archive/1/519463/100/0/threaded
www.securityfocus.com/bid/49330
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2763
exchange.xforce.ibmcloud.com/vulnerabilities/69444