In a feat of resiliency, the United States Ski and Snowboard Association (USSA) migrated a service then decommissioned a vulnerable server during the COVID-19 pandemic after the UtahCyberCheck project found a critical vulnerability.
Earlier this year, I discovered USSA ran an OpenVBX server at longdistance.ussa.org. According to its GitHub page, OpenVBX is a web-based phone system the company Twilio had acquired and subsequently open-sourced. Twilio has since been abandoned it, and no further development has occurred in over four years.
During this time, customers and researchers opened dozens of issues including a couple vulnerability reports. One such reported vulnerability on Github is a PHP object injection vulnerability. According to the well-respected Open Web Application Security Project (OWASP), PHP object injection “could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, (and) SQL Injection.” In simpler terms, it allows an attacker to breach a server or access the database. Due to the lack of community and Twilio support, this issue will likely not be fixed in OpenVBX.
Contact and Response
At the brink of the COVID-19 pandemic hit Utah, I reported the vulnerability via Utah SIAC on February 27, 2020. The virus hit Park City, UT, where USSA is headquartered, early on. Summit county saw one of the first community-spread cases of the virus in Utah and was the first county in Utah to issue a stay-at-home order. Not to mention in the middle of the pandemic a 5.7 M earthquake hit one county over. Leading up to these disasters, the country was right in the middle of winter sports season, putting a lot of demand on the time and resources of USSA.
What deserves recognition is not just the vulnerability, but USSA’s ability to address it as quickly as they did during these unprecedented times. Any one of these circumstances on their own is a lot to handle, but combined seems almost impossible to address. Despite the upheaval, USSA migrated their phone system off of the vulnerable server within 40 days! Migrations this large can take many companies months or even years to complete when not dealing with a pandemic. The team accomplished a remarkable feat.
My UtahCyberCheck project focuses on voluntarily finding and reporting cybersecurity issues of Utah education, nonprofit, and government infrastructure. For more information about the UtahCyberCheck project, you can read its announcement blog post.