Canadian telecom companies are rushing to fix a serious vulnerability associated with the Soleo IP Relay, which is used as an aid to those who are deaf, hard-of-hearing, or dealing with speech disorders. The remote interpreting service allows for these individuals to place calls via assisted phone devices. Soleo IP Relay, which is from Soleo Communications, is used pretty much by every telecom company in Canada,
This vulnerability was found thanks to research conducted by Dominik Penner and Manny Mand of Project Insecurity. The research, published in a paper, shows how a local file-disclosure flaw puts 30 million Canadian residents with various disabilities at risk for identity theft and other issues. According to the Project Insecurity paper, telecoms affected by the vulnerability include:
- Bell
- Sasktel
- Telus
- Shaw
- Videotron
- MTS
- Rogers (services hosted at iprelayservice.net)
- Bell Aliant
- Cogeco
- Fido (services hosted at iprelayservice.net)
- Koodo (services hosted at iprelayservice.net)
- Chatr (services hosted at iprelayservice.net)
- AllStream
- EastLink
The local file-disclosure flaw associated with the Soleo IP Relay is described by researchers as follows:
A determined attacker (APT/foreign entity) could leverage this vulnerability to steal passwords from configuration files across multiple providers, compromise said providers using the stolen passwords, and then potentially launch a large-scale identity theft operation… This vulnerability exists due to the fact that there is improper sanitization on the ‘page’ GET parameter in servlet/IPRelay.
The flaw’s discovery began with an investigation of a provider’s login page and flawed code resulting from it. Soon they began digging deeper and uncovered just how serious the issue was via a proof-of-concept .xml file that was able to retrieve the location of source files. After some more digging, the researchers quickly reached out to Soleo.
The company did confirm on August 10 that a patch had been created for the issue, however, according to the research paper, it refused “to establish disclosure timeline despite multiple attempts.” Not a great PR strategy to say the least, but at least the patch will be rolled out eventually.
Featured image: Flickr / Karolina Kabat
