innovaphone IP222 / IP232 Denial Of Service

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-053  
Product: innovaphone IP222/IP232  
Manufacturer: innovaphone AG  
Affected Version(s): 11r1s r2  
Tested Version(s): 11r1s r2  
Vulnerability Type: Denial of Service (CWE-730)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2015-09-02  
Solution Date: unknown  
Public Disclosure: 2016-03-04  
CVE Reference: Not yet assigned  
Author of Advisory: Alexander Brachmann (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
The innovaphone IP222 and IP232 are IP telephones with many features.  
  
The manufacturer innovaphone describes the products as follows (see [1],   
[2]):  
  
"The IP222 telephone unites a very modern design with groundbreaking  
technological details. It belongs to the innovaphone product family that  
won the popular "red dot award: product design".  
  
(...)  
  
The innovaphone IP232 IP phone unites a very modern design with   
groundbreaking technological details. It belongs to the innovaphone   
design telephone product range that won the coveted "red dot award:   
product design"."  
  
Due to a vulnerability in the H.323 network service on the TCP port  
1720, the telephone can be restarted in an unauthorized manner by  
an attacker causing a denial-of-service condition.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
A not further analyzed vulnerability in the H.323 network service on the  
TCP port 1720 of the IP telephone IP222 can be exploited by an attacker on  
the same network to reboot the telephone in an unauthorized way.  
  
This vulnerability can be used for denial-of-service attacks against the  
IP222 telephone at arbitrary states, for example during a call.  
  
If the IP222 telephone is configured in such a way that its users are  
not automatically logged in after a reboot, the impact of this  
denial-of-service attack is even bigger as user interaction is required  
to restore the IP telephone to the previous working state.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The IP telephone IP222 can be rebooted in an unauthorized way by sending  
random data to its H.323 network service on the TCP port 1720, for  
example by using the following command:  
  
$ cat /dev/urandom | nc <IP ADDRESS> 1720  
  
Before rebooting, the CPU register state is shown on the telephone's  
display (white text on red background).  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to test results of the SySS GmbH with a newer firmware  
version 11r2 sr9, the reported security issue was fixed by the  
manufacturer.  
  
Please contact the manufacturer for further information or support.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-09-04: Vulnerability reported to manufacturer  
2015-09-07: Manufacturer acknowledges e-mail with SySS security advisory  
and asks for further information  
2015-09-08: Response to open question  
2015-11-06: E-mail to manufacturer asking about the current state of the  
reported security issue  
2015-11-06: Manufacturer cannot reproduce the security issue  
Providing detailled information how the security  
vulnerability can be triggered  
2015-11-09: E-mail to manufacturer asking about the current state of the  
reported security issue  
2015-11-12: Further e-mail to manufacturer asking about the current  
state of the reported security issue  
2016-03-03: Test of the security vulnerability with the newer firmware  
version 11r2 sr9 where no DoS condition could be triggered  
anymore  
2016-03-04: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] innovaphone IP222 product Web site  
http://www.innovaphone.com/en/ip-telephony/ip-phones/ip222.html  
[2] innovaphone IP232 product Web site  
http://www.innovaphone.com/en/ip-telephony/ip-phones/ip232.html  
[3] SySS Security Advisory SYSS-2015-053  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-053.txt  
[4] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Alexander Brachmann of the   
SySS GmbH.  
  
E-Mail: alexander.brachmann (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Alexander_Brachmann.asc  
Key fingerprint = 8E49 74AF 34A6 E600 E958 FB63 2E8E 1546 17DE CFFE  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is" and   
without warranty of any kind. Details of this security advisory may be updated   
in order to provide as accurate information as possible. The latest version of   
this security advisory is available on the SySS Web site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
iEYEAREKAAYFAlbZRTsACgkQLo4VRhfez/6SfACgn5/C92L79sVNEcAUBdSo6RZF  
Sc4An07SEfFnu6Jyz9jL/bd9tHJ8t7Tj  
=T67e  
-----END PGP SIGNATURE-----  
`