Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22322
HistoryAug 14, 2009 - 12:00 a.m.

Authentication Bypass of Snom Phone Web Interface

2009-08-1400:00:00
vulners.com
27
JSON

#############################################################

COMPASS SECURITY ADVISORY

http://www.csnc.ch/en/downloads/advisories.html

#############################################################

Product: Snom VoIP/SIP Phones (Snom300, Snom320, Snom360,

Snom370, Snom820)

Vendor: snom technology AG

CVD ID: CVE-2009-1048

Subject: Authentication Bypass of Snom Phone Web Interface

Risk: High

Effect: Remote

Author: Walter Sprenger

Date: August 13, 2009

#############################################################

Introduction:

The VoIP phones of snom technology AG can be configured, monitored
or controlled with a browser connecting to the built in web interface.
It is strongly recommended to enable authentication on the web
interface and to set a strong password.
By constructing a specially crafted HTTP request the authentication
of the web interface can be completely bypassed.

Impact:

Access to the web interface without authentication enables a
malicious user to 2:

  • call expensive numbers
  • listen to the phone conversation by capturing the network traffic
  • read SIP username and password
  • read and modify all configuration parameters of the phone
  • redirect phone calls to another VoIP server
  • activate the microphone and listen to the conversation in the room

Affected:

  • The tests have been conducted on a Snom360, Firmware versions:
    • snom360 linux 3.25/snom360-SIP 6.5.17
    • snom360 linux 3.25/snom360-SIP 6.5.18
    • snom360-SIP 7.1.30
    • snom360-SIP 7.1.35 14552
  • All Snom300, Snom320, Snom360, Snom370 and Snom820 with firmware
    versions below 6.5.20, 7.1.39 and 7.3.14 are vulnerable according
    to snom technology AG
  • Not vulnerable:
    • Firmware version 6.5.20 and higher
    • Firmware version 7.1.39 and higher
    • Firmware version 7.3.14 and higher

Technical Description:

The web interface of the Snom VoIP/SIP phones is protected by
Basic Authentication or Digest Authentication.
The authentication can be completely bypassed by modifying the
HTTP request. A normal browser sets the request header "Host:"
to the IP address or the host name that is entered in the URL
field of the browser. If the request header is modified to
contain the value "Host: 127.0.0.1", all pages and functions
of the web interface can be reached without prompting the user
to authenticate.

How to test:

curl -H "Host: 127.0.0.1" http://<IP address of phone>/
curl -k -H "Host: 127.0.0.1" https://<IP address of phone>/

-> if the phone is vulnerable, the index page of the web
interface is returned
-> if the phone is not vulnerable, an
"HTTP/1.1 401 Unauthorized" response is returned

Workaround / Fix:

  • Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above
  • Disable the web interface until a firmware upgrade is installed

Timeline:

Vendor Notified: March 19, 2009
Vendor Status: Replied on March 19 and March 30, vulnerability
confirmed
Vendor Response: Problem fixed in firmware version 7.1.39/7.3.14.
Problem will be fixed in version 6.
Patch available: Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14
and above

References:

Related

prion 1
packetstorm 1
cve 1
securityvulns 1
prion
prion
Authentication flaw
2009-08-14 15:16:00
packetstorm
packetstorm
Snom VoIP/SIP Phone Bypass
2009-08-15 00:00:00
cve
cve
CVE-2009-1048
2009-08-14 15:16:00
securityvulns
securityvulns
SNOM VoIP phones authentication bypass
2009-08-14 00:00:00
JSON
Related for SECURITYVULNS:DOC:22322
prion1packetstorm1cve1securityvulns1