Vulnerability Management, Threat Management, Identity, Zero trust

Researcher says call-center software ripe for ‘systematic study’ after finding vulnerabilities

Doctors and paramedics take emergency calls at the 112 Emergency Healthcare services call center headquarters on May 1, 2020, in Istanbul. (Photo by Chris McGrath/Getty Images)

Synopsys researchers discovered a pair of now-patched vulnerabilities in GOAutodial, call center management software used in more than 50,000 businesses.

"We all say that every business is a software business these days. And this is a really classic example of that," said Scott Tolley, a sales engineer at Synopsys who discovered the vulnerabilities.

Call centers are awash with consumer data and a critical component of business functions, whether that is in providing support, payment or other services. But call-center software and other back-end office software may be the source of several blind spots in cybersecurity, said James Wilde, global head of security strategy for SPHERE and a former head of security technology services for Barclays.

"These aren’t mainstream apps and tech, so they aren't actively being probed for vulnerabilities by third parties and threat actors," Wilde said, adding: "Vendors are not embracing strong vulnerability processes to actively assess their vulnerabilities, and not openly publishing these vulnerabilities."

The GOAutodial research found two problems in the API handling of PHP files. CVE-2021-43175 allows for unauthenticated access to PHP files without valid credentials. CVE-2021-43176 is an error in local file inclusion, allowing users to launch arbitrary code from files that exist within the GOAutodial system — including ones sent using instant message.

Synopsis praised GOAutodial's rapid handling of their vulnerability report. The disclosure process began the last week of September, with GOAutodial proposing a fix within a month.

Tolley said the discovery may lead him to do more extensive research into the space.

"This is the first example that I have looked at myself, and I am quite tempted to do a more systematic study of the ecosystem after this," he said. "Where you find something, it is likely that there are more things."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.