-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-008
Product:                   Unify CP IP Phones
Manufacturer:              Unify Communications and Collaboration GmbH & Co. KG
Affected Version(s):       Firmware >=  CP SIP V1.10.4.3
Tested Version(s):         Firmware CP SIP V1.10.4.3
Vulnerability Type:        Use of Weak Credentials (CWE-1391)
Risk Level:                Low
Solution Status:           Fixed
Manufacturer Notification: 2024-01-22
Solution Date:             2024-04-03
Public Disclosure:         2024-04-03
CVE Reference:             CVE-2024-28066
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Unify CP IP phones are modern desk phones which are used for the
operation in enterprise environments.

The manufacturer describes the product as follows (see [1]):

"Intuitive, space-efficient and gigabit to the desk.
The ergonomic Atos OpenScape Desk Phone IP family delivers a
user-friendly, cost-effective and feature-rich communications
experience."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

For the Unix account "root" on Unify CP IP Phones, a hardcoded and 
weak password is set.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Extract the file system from the firmware (see SYSS-2024-007[2]).

2. Hardcoded md5crypt password hashes for the user "root" can be 
   found ("/etc/shadow").

3. Due to the use of a weak password, the cleartext password could
   be recovered in an offline password-guessing attack:

    lxdb (root)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer, the vulnerability has been fixed.[5]
Fixed versions are 1.11.3.0, 2.0.14.0 and 1.8.2.0.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-01-17: Vulnerability discovered
2024-01-22: Vulnerability reported to manufacturer
2024-01-22: Manufacturer confirmed reception
2024-02-22: Requested the current status from the manufacturer
2024-02-23: Manufacturer responded that it is still under investigation
2024-02-28: Manufacturer reported that a fixed firmware would be provided
            until March 29, 2024; the planned fix will disable the root account
2024-03-01: CVE-2024-28066 assigned
2024-03-04: Manufacturer responded: "This vulnerability poses no 
            significant risk to the Desk Phone."
2024-03-04: A public advisory is planned by the manufacturer
2024-03-28: Manufacturer informed that two out of three fixed versions are 
            available
2024-04-03: All fixed versions are available
2024-04-03: Manufacturer published a security note[5]
2024-04-03: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Unify CP IP Phones product website
    https://unify.com/en/solutions/phones-and-clients/desktop-phones
[2] SySS Security Advisory SYSS-2024-007
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-007.txt
[3] SySS Security Advisory SYSS-2024-008
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-008.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[5] Manufacturer note, OBSO-2404-01
    https://networks.unify.com/security/advisories/OBSO-2404-01.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmYOtcwACgkQrgyb+PE0
i1PgwA/8DzG1HvDou8utXoC28slOqqqkRQbXZyXdsGYa6ex8k+tskPrLSKqc9l0a
SFXpKn9voTvFk09n5VJYDnQJFm4R/WvB21rQAaajh0RQShdFlUqowXQ12EhkemX7
Fhz1lMVdjg3/FYqzTW4eFLPIPYe7dJp3IqZoFsegk+khVjFeX2s6Dx1XbrzCr55i
sSYEflJvXjhOUK8x9PzupirB1HQGYcO1qf00qs+fPnAfFx5QLf+Tl/owH1zripN5
f/ZETH6rO/XXM36H2Ne/qwuLyQc5NH6AAO8rzgAA8g2qbIU1jH2UFKweTrzucQtu
ZRVOzPmCX9L2h/7u5KeA139G2wQ5ABvgAfm99VuyT/1XMcrXRUBjCV3Wr7WSOnln
DMrB5sFlAkZA2Q7a5iAn3xR2ECAY77vqC39QBj3NbUx4RWU8u9ErrCIcXndHlYfu
9dWUHqZzYId2kDPG6u7ka1iTZ2xQanOsXRsa5JmsvNyhQZK4IbuI4vCRG9FESrE8
yn4yJBrQDi1WwFBsKejX4eElc7PGZAmGVVqgAgDK5coOLDvTkEF7/aw16qWHy86T
6+1EDmmVD+qAyQtjd9pWY/ZLe+FK+6j1cMYwtOmZ/4V3WxEdHF2Za2mMzsrmGPed
j5GsFAuGp1U6WnyqbNJdANgz8RarUCyi9U72sdNfk5hRlNr6h94=
=+o2n
-----END PGP SIGNATURE-----