Root Backdoor & Unauthenticated access to voice recordings in NICE Systems product

SEC Consult Vulnerability Lab Security Advisory: “NICE Systems (NASDAQ: NICE), is the worldwide leader of intent-based solutions that capture and analyze interactions and transactions, realize intent, and extract and leverage insights to deliver impact in real time.” source: “NICE provides Law Enforcement Agencies (LEAs) with mission-critical lawful interception (LI) solutions to support the fight against organized crime, drug trafficking and terrorist activities.

NICE helps LEAs stay up-to-date with fast-paced technology developments.

The solutions retrieve target location, relations and conversation content from any type of communication including fax, fixed and mobile telephony, and Internet applications, resulting in a multi-dimensional investigative picture. NICE solutions support the entire lawful interception cycle, from warrant initiation to court evidence presentation.”




“NICE Recording eXpress is designed specifically for the audio recording needs of the small and medium sized Public Safety organisation. This advanced recording solution offers a comprehensive, advanced, easy-to-install and affordable platform built for the Public Safety environment and Command and Control operations delivering optimal recording functionality and quality management.”

Business recommendation: Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup. It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that further critical vulnerabilities exist.

Vulnerability overview/description:


1) root backdoor account (REC-5180 SR1093984 – subtask REC-5424)

2) Unauthenticated access to sensitive files & voice recordings (REC-5179 SR1089608 – subtask REC-5417)

3) Low-privileged users can access other voice recordings & Insufficient authorization (REC-5179 SR1089608 – subtask REC-5418)

4) Unauthenticated access to functionality (REC-5179 SR1089608 – subtask REC-5419)

5) Insufficient authorization of admin functions (REC-5179 SR1089608 – subtask REC-5420)

6) Multiple cross site scripting issues (REC-5181 SR1093986 – subtask REC-5421)

7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 – subtask REC-5423)

8) Insecure cookie handling (REC-5181 SR1093986 – subtask REC-5422)

9) Violation of least principle – services run as SYSTEM (not included in subtask)