-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-003
Product:                   Poly CCX IP Phones
Manufacturer:              HP Development Company, L.P
Affected Version(s):       Firmware Versions < 8.0.2.2367
Tested Version(s):         Firmware Version 7.2.7.0193
Vulnerability Type:        Improper Access Control (CWE-284)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2024-01-17
Solution Date:             2024-04-04
Public Disclosure:         2024-04-05
CVE Reference:             CVE-2024-3281
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Poly CCX VoIP phones are modern desk phones which are used for the
operation in enterprise environments.

The manufacturer describes the product, e.g. the CCX 400 model, as
follows (see [1]):

"Entry-level business media desk phone with color touchscreen.
- - Entry-level business media phone
- - Simple and intuitive interface
- - Color touch screen"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By default, the Poly IP phone provides the Android Debug Bridge (ADB) on
TCP port 5555. Due to the lack of authentication, the system can be
accessed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Access the system via ADB:
    1. $ adb connect <ip-address>:5555
    2. $ adb shell

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Fixed firmware versions were provided by the manufacturer.[4]
Update phones to firmware version 8.0.2.2367 or newer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-01-10: Vulnerability discovered
2024-01-17: Vulnerability reported to manufacturer
2024-02-07: Manufacturer confirmed reception and asked further 
            questions about the analyzed device
2024-02-07: Additional information was provided
2024-02-13: Manufacturer had some follow-up questions
2024-03-25: Provision of further information
2024-03-29: Root cause was determined by the manufacturer; 
            fixed versions will be provided and a security note 
            published by the manufacturer
2024-04-04: Security note published by the manufacturer[4]
2024-04-05: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Poly CCX IP phones product website
    https://www.poly.com/us/en/products/phones/ccx
[2] SySS Security Advisory SYSS-2024-003
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-003.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] Manufacturer note
    https://support.hp.com/us-en/document/ish_10388650-10388701-16/hpsbpy03929

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmYU64cACgkQrgyb+PE0
i1MuBA/6Aj8PC4oPCD9gBMXYWuZ7hBRx/Riq2jTteMfux7I0McoYdrBeWU07GqlA
YTbyPljiDCW1FKxDkooj9V/gZXy7iy6mYUXZrnNNYsQGE563E9dhSGp4kPqhgY4W
CqYfuN+LmIhiHwGKFncgwEcKgj9+00e2OoXMO3mCA6czRhTS6QngMuN+SkgaxP0l
7dOQYhbbg2ke6TP5fw2yGsA8WaVnOco6Ngc4rd56lfauokzdEQcMonoShqJxvtYY
LIycjxm4TSbj929cWXSMtuFLPHK8U6uWON+7VHQSnldB8i6hE6U8WA+L9+lo/iRO
+83uT2hdujcyq3rZg/9ArqIC1PyX/Gtf+hnTK10FYXFxkZqZc3DoAZafT/ZYzNLx
m2xxGnXrP1UdKL6bLCOZXSjy82vLNeCkN8hpL+43t05jIyXvBPcxTTHQ+GGojyGn
99N4+CpVWVMf2oWelIVIPXdBm8wh2uucJxWYFLJxZMrzFaQKnmFRA8JPS/cKWXcf
GLf3ngyUGzpxe4Rzms0AQz7HnLIaeBvy4F1PHddX8baW/hFd9LYMtT5gb3PMLxYV
I94jOtSQ4ImNjQ56JcxWelXUQ9nujhtPiH/kRXjKXAarfDuchRSTqG0eQ9uB+ku1
leZcwaJF5+Qb/M2dVnW2fvtkwf43Nl4335kFBG5I1dDSvSlMifg=
=SMXN
-----END PGP SIGNATURE-----