innovaphone versions IP222 and IP232 suffer from a remote denial of service vulnerability.
Product: innovaphone IP222/IP232 Manufacturer: innovaphone AG Affected Version(s): 11r1s r2 Tested Version(s): 11r1s r2 Vulnerability Type: Denial of Service (CWE-730) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2015-09-02 Solution Date: unknown Public Disclosure: 2016-03-04 CVE Reference: Not yet assigned Author of Advisory: Alexander Brachmann ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The innovaphone IP222 and IP232 are IP telephones with many features. The manufacturer innovaphone describes the products as follows (see , ): "The IP222 telephone unites a very modern design with groundbreaking technological details. It belongs to the innovaphone product family that won the popular "red dot award: product design". (...) The innovaphone IP232 IP phone unites a very modern design with groundbreaking technological details. It belongs to the innovaphone design telephone product range that won the coveted "red dot award: product design"." Due to a vulnerability in the H.323 network service on the TCP port 1720, the telephone can be restarted in an unauthorized manner by an attacker causing a denial-of-service condition. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A not further analyzed vulnerability in the H.323 network service on the TCP port 1720 of the IP telephone IP222 can be exploited by an attacker on the same network to reboot the telephone in an unauthorized way. This vulnerability can be used for denial-of-service attacks against the IP222 telephone at arbitrary states, for example during a call. If the IP222 telephone is configured in such a way that its users are not automatically logged in after a reboot, the impact of this denial-of-service attack is even bigger as user interaction is required to restore the IP telephone to the previous working state. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The IP telephone IP222 can be rebooted in an unauthorized way by sending random data to its H.323 network service on the TCP port 1720, for example by using the following command: $ cat /dev/urandom | nc <IP ADDRESS> 1720 Before rebooting, the CPU register state is shown on the telephone's display (white text on red background). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to test results of the SySS GmbH with a newer firmware version 11r2 sr9, the reported security issue was fixed by the manufacturer. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-09-04: Vulnerability reported to manufacturer 2015-09-07: Manufacturer acknowledges e-mail with SySS security advisory and asks for further information 2015-09-08: Response to open question 2015-11-06: E-mail to manufacturer asking about the current state of the reported security issue 2015-11-06: Manufacturer cannot reproduce the security issue Providing detailled information how the security vulnerability can be triggered 2015-11-09: E-mail to manufacturer asking about the current state of the reported security issue 2015-11-12: Further e-mail to manufacturer asking about the current state of the reported security issue 2016-03-03: Test of the security vulnerability with the newer firmware version 11r2 sr9 where no DoS condition could be triggered anymore 2016-03-04: Public release of security advisory # 0day.today [2016-04-19] #