-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-007 Product: Unify CP IP Phones Manufacturer: Unify Communications and Collaboration GmbH & Co. KG Affected Version(s): Firmware >= CP SIP V1.10.4.3 Tested Version(s): Firmware CP SIP V1.10.4.3 Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2024-01-22 Solution Date: 2024-04-03 Public Disclosure: 2024-04-03 CVE Reference: CVE-2024-28065 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Unify CP IP phones are modern desk phones which are used for the operation in enterprise environments. The manufacturer describes the product as follows (see [1]): "Intuitive, space-efficient and gigabit to the desk. The ergonomic Atos OpenScape Desk Phone IP family delivers a user-friendly, cost-effective and feature-rich communications experience." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Unify CP IP Phone firmware files are not encrypted and contain sensitive information such as the root password hash (see SYSS-2024-008[2]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. A firmware upgrade file consists of multiple parts, e.g. in the tested image a Gzip-compressed POSIX tar archive can be found at offset 0x200000. 2. This archive has the size of 19657022 bytes and can therefore be extracted as follows: $ dd if=upgrade.img skip=2097152 count=19657022 bs=1 of=rootfs.gz 3. Decompress the archive: $ gzip -d rootfs.gz 4. Extract the POSIX tar archive: $ tar xfv rootfs.tar 5. Access the root password hash ("/etc/shadow"): $ cat etc/shadow root:$1$$waiBblDbCpXQTObRzD1mC1:10933:0:99999:7::: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the manufacturer, the vulnerability has been fixed.[5] Fixed versions are 1.11.3.0, 2.0.14.0 and 1.8.2.0. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-01-17: Vulnerability discovered 2024-01-22: Vulnerability reported to manufacturer 2024-01-22: Manufacturer confirmed reception 2024-02-22: Requested the current status from the manufacturer 2024-02-23: Manufacturer responded that it is still under investigation 2024-02-28: Manufacturer reported that no measures are planned regarding this issue 2024-03-01: CVE-2024-28065 is assigned 2024-03-04: Manufacturer responded: "This vulnerability poses no significant risk to the Desk Phone." 2024-03-04: A public advisory is planned by the manufacturer 2024-03-28: Manufacturer informed that two out of three fixed versions are available 2024-04-03: All fixed versions are available 2024-04-03: Manufacturer published a security note[5] 2024-04-03: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Unify CP IP Phones product website https://unify.com/en/solutions/phones-and-clients/desktop-phones [2] SySS Security Advisory SYSS-2024-008 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-008.txt [3] SySS Security Advisory SYSS-2024-007 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-007.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] Manufacturer note, OBSO-2404-01 https://networks.unify.com/security/advisories/OBSO-2404-01.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmYOtaUACgkQrgyb+PE0 i1PnZRAAv2qfeL8XF2hqTBhK3oTkhOq/F7hYDMHo0g02kjn58+kYxDW3g4lAmZ22 OoJBUcPVVHTHyMFP2ukaZDoRvlYsN4benDpVTP3t3AKiZHwfThw0N9kT9gdkhDYm rHaJUqi5xtU70VIFuPHEyQXQgJloB0ruVLrOXgqfNgjaeFTjOkCW/F6csPLqJL7j nP5i69QUb8STL0e1oklo7He68rea19BjaCbQ0VPi/tILXRRAgr8dPPMYRjCrj6y1 i++MhYlceXGHFiM2oSkAjuwCPhZ04cohYBOWqTH/FzIIyTraIHhgyQEYr3So0oIq DkUTclXqtMbVNTxXmCKHUPfwoKzYe/zvF47xob2fQkb6ydNJtw1mx/ulhcjcvNdy mJZaC1r4Gf3PU+Ssb5mz9f163WwkoBHdxqNxlpRpP3F2Sc4pbfys5J48bhxRiMIR 5MkddbDRLC/YRjjv+btuHrFnbUYRKqc/aYcZju54NKd31S6JnD8yCdq4rdxbNbcf bpkmrFJsUJhHMCewbzlw4+7HXF1rBox2tGH/Y+x/++5DMivjkt5/Rfmu/wAzvOYU oRqsyY4GJINHfR7LZaOW1hsf8BV2CwGNhfgy+hj8t0YDder1T9+6KmfvXoNW/4XE qnBwOHhhbIvFDmHLaVIjp8H0HdiZe2b4NmKt3IYqlwudUv3FC6w= =nFbd -----END PGP SIGNATURE-----