-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-004
Product:                   Poly CCX IP Phones
Manufacturer:              HP Development Company, L.P.
Affected Version(s):       Firmware Versions < 8.0.2.2367
Tested Version(s):         Firmware Version 7.2.7.0193
Vulnerability Type:        Incorrect Permission Assignment for Critical Resource (CWE-732)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2024-01-17
Solution Date:             2024-04-04
Public Disclosure:         2024-04-05
CVE Reference:             Not yet assigned
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Poly CCX VoIP phones are modern desk phones which are used for the
operation in enterprise environments.

The manufacturer describes the product, e.g. the CCX 400 model, as
follows (see [1]):

"Entry-level business media desk phone with color touchscreen.
- - Entry-level business media phone
- - Simple and intuitive interface
- - Color touch screen"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By default, the device's individual X.509 private key located at
"/tmp/defkey.crt" has the permissions "rw-r-r" set and is therefore
"world"-readable.

Since this key is used for authentication against external parties,
e.g. provisioning services, an attacker might be able to gain access
to sensitive data using this certificate.

Access to the system and this file can be achieved, e.g., by using the
Android Debug Bridge (ABD) (see SYSS-2024-003[2]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Access the system via ADB:
    $ adb connect <ip-address>:5555

2. Read out the file permissions:
    $ adb shell "ls -la /tmp/defkey.crt"

3. Access the private key:
    $ adb shell "cat /tmp/defkey.crt"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Fixed firmware versions were provided by the manufacturer.[5]
Update phones to firmware version 8.0.2.2367 or newer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-01-10: Vulnerability discovered
2024-01-17: Vulnerability reported to manufacturer
2024-02-07: Manufacturer confirmed reception and asked further 
            questions about the analyzed device
2024-02-07: Additional information was provided
2024-02-13: Manufacturer had some follow-up questions
2024-03-25: Provision of further information
2024-03-29: Root cause was determined by the manufacturer;
            fixed versions will be provided and a security note 
            published by the manufacturer
2024-04-04: Security note published by the manufacturer[5]
2024-04-05: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Poly CCX IP phones product website
    https://www.poly.com/us/en/products/phones/ccx
[2] SySS Security Advisory SYSS-2024-003
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-003.txt
[3] SySS Security Advisory SYSS-2024-004
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-004.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[5] Manufacturer note
    https://support.hp.com/us-en/document/ish_10388650-10388701-16/hpsbpy03929

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmYU698ACgkQrgyb+PE0
i1OImBAAo7XZzU5Iz2gNKL3/bd5SMBH5OJyASpeh4FLtpWUa4a0Hy7rkKNCovSAV
R+rd6MDHDXDO7W7jVl9GMpelAPPKAIiW4yNzbnYqojwO7uEYQHSJSNs9+mvEF5vL
Q+GxRHSXKfH7B01ZyNMpKU+a7a6xmmwbiE//swg5DsWI53m09X0a4TARCAHroUSq
QbFLKXo5z9+EtvWuKfkCs+s2DW5X3w0S97OMP7HqRdKPfNr6kjYDnx1rNcO21zlY
B9m8T4JW/eeColhp/B21qJhen2HuFLbZT+m9C+NAtHbTam/pm1G0gQAvgGrGPqOX
GkKzbYe8HqNw6FTLeLTbzFfr13J6cTwHQ/RfJvcG20RbVSx+sf4Tawo3iz6TcGMK
G0H30VoI7bjX7IiO+aSgStsfMm62OaVBffom2evg6OOHFFTHU/SWej61vXjU0h5S
Nv+YjpCH6aCy3pfSM05OG4c+KLXLbXMrIpLG0loXokmCrzdOzKk0IDjIIvbl1BBd
5h3ZFBK2U9HiOlTiO1esYGR/4VVJMhymq5FMZzVVdkZhULbGV7L/Yk4TokV2g8/m
qWI6cMjN6euOEygodafXbm6UqHTkN5LoBGshgM7llWeisIK5Msyuvp56eYVkiS5W
iajGNLiPwSMlA4d3SOPf3bHF3LHg5ESdkki5Df4inIZnQ/L0btI=
=sugW
-----END PGP SIGNATURE-----