innovaphone IP222 / IP232 Denial Of Service
Posted on 05 March 2016
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-053 Product: innovaphone IP222/IP232 Manufacturer: innovaphone AG Affected Version(s): 11r1s r2 Tested Version(s): 11r1s r2 Vulnerability Type: Denial of Service (CWE-730) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2015-09-02 Solution Date: unknown Public Disclosure: 2016-03-04 CVE Reference: Not yet assigned Author of Advisory: Alexander Brachmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The innovaphone IP222 and IP232 are IP telephones with many features. The manufacturer innovaphone describes the products as follows (see [1], [2]): "The IP222 telephone unites a very modern design with groundbreaking technological details. It belongs to the innovaphone product family that won the popular "red dot award: product design". (...) The innovaphone IP232 IP phone unites a very modern design with groundbreaking technological details. It belongs to the innovaphone design telephone product range that won the coveted "red dot award: product design"." Due to a vulnerability in the H.323 network service on the TCP port 1720, the telephone can be restarted in an unauthorized manner by an attacker causing a denial-of-service condition. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A not further analyzed vulnerability in the H.323 network service on the TCP port 1720 of the IP telephone IP222 can be exploited by an attacker on the same network to reboot the telephone in an unauthorized way. This vulnerability can be used for denial-of-service attacks against the IP222 telephone at arbitrary states, for example during a call. If the IP222 telephone is configured in such a way that its users are not automatically logged in after a reboot, the impact of this denial-of-service attack is even bigger as user interaction is required to restore the IP telephone to the previous working state. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The IP telephone IP222 can be rebooted in an unauthorized way by sending random data to its H.323 network service on the TCP port 1720, for example by using the following command: $ cat /dev/urandom | nc <IP ADDRESS> 1720 Before rebooting, the CPU register state is shown on the telephone's display (white text on red background). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to test results of the SySS GmbH with a newer firmware version 11r2 sr9, the reported security issue was fixed by the manufacturer. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-09-04: Vulnerability reported to manufacturer 2015-09-07: Manufacturer acknowledges e-mail with SySS security advisory and asks for further information 2015-09-08: Response to open question 2015-11-06: E-mail to manufacturer asking about the current state of the reported security issue 2015-11-06: Manufacturer cannot reproduce the security issue Providing detailled information how the security vulnerability can be triggered 2015-11-09: E-mail to manufacturer asking about the current state of the reported security issue 2015-11-12: Further e-mail to manufacturer asking about the current state of the reported security issue 2016-03-03: Test of the security vulnerability with the newer firmware version 11r2 sr9 where no DoS condition could be triggered anymore 2016-03-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] innovaphone IP222 product Web site http://www.innovaphone.com/en/ip-telephony/ip-phones/ip222.html [2] innovaphone IP232 product Web site http://www.innovaphone.com/en/ip-telephony/ip-phones/ip232.html [3] SySS Security Advisory SYSS-2015-053 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-053.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Alexander Brachmann of the SySS GmbH. E-Mail: alexander.brachmann (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Alexander_Brachmann.asc Key fingerprint = 8E49 74AF 34A6 E600 E958 FB63 2E8E 1546 17DE CFFE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEAREKAAYFAlbZRTsACgkQLo4VRhfez/6SfACgn5/C92L79sVNEcAUBdSo6RZF Sc4An07SEfFnu6Jyz9jL/bd9tHJ8t7Tj =T67e -----END PGP SIGNATURE-----