National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2018-11518 Detail

Description

A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece).

Source:  MITRE
Description Last Modified:  05/30/2018

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
http://virgil-cj.blogspot.com/2018/05/0day-legacy-ivr-lets-phreak.html
https://datarift.blogspot.com/2018/05/CVE-2018-11518-abusing-ivr-systems.html
https://twitter.com/mishradhiraj_/status/1001664204485652482
https://twitter.com/mishradhiraj_/status/1001664440759091207

Technical Details

Vulnerability Type (View All)

Quick Info

CVE Dictionary Entry:
CVE-2018-11518
NVD Published Date:
05/30/2018
NVD Last Modified:
05/30/2018