Snom VoIP/SIP Phones Authentication Bypass

2009-08-17 / 2009-08-18
Credit: null
Risk: High
Local: No
Remote: Yes
CWE: CWE-287

CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# COMPASS SECURITY ADVISORY # # # Product: Snom VoIP/SIP Phones (Snom300, Snom320, Snom360, # Snom370, Snom820) # Vendor: snom technology AG # CVD ID: CVE-2009-1048 # Subject: Authentication Bypass of Snom Phone Web Interface # Risk: High # Effect: Remote # Author: Walter Sprenger # Date: August 13, 2009 # Introduction: ------------- The VoIP phones of snom technology AG can be configured, monitored or controlled with a browser connecting to the built in web interface. It is strongly recommended to enable authentication on the web interface and to set a strong password. By constructing a specially crafted HTTP request the authentication of the web interface can be completely bypassed. Impact: ------- Access to the web interface without authentication enables a malicious user to [2]: - call expensive numbers - listen to the phone conversation by capturing the network traffic - read SIP username and password - read and modify all configuration parameters of the phone - redirect phone calls to another VoIP server - activate the microphone and listen to the conversation in the room Affected: --------- - The tests have been conducted on a Snom360, Firmware versions: - snom360 linux 3.25/snom360-SIP 6.5.17 - snom360 linux 3.25/snom360-SIP 6.5.18 - snom360-SIP 7.1.30 - snom360-SIP 7.1.35 14552 - All Snom300, Snom320, Snom360, Snom370 and Snom820 with firmware versions below 6.5.20, 7.1.39 and 7.3.14 are vulnerable according to snom technology AG - Not vulnerable: - Firmware version 6.5.20 and higher - Firmware version 7.1.39 and higher - Firmware version 7.3.14 and higher Technical Description: ---------------------- The web interface of the Snom VoIP/SIP phones is protected by Basic Authentication or Digest Authentication. The authentication can be completely bypassed by modifying the HTTP request. A normal browser sets the request header "Host:" to the IP address or the host name that is entered in the URL field of the browser. If the request header is modified to contain the value "Host:", all pages and functions of the web interface can be reached without prompting the user to authenticate. How to test: ------------ curl -H "Host:" http://<IP address of phone>/ curl -k -H "Host:" https://<IP address of phone>/ -> if the phone is vulnerable, the index page of the web interface is returned -> if the phone is not vulnerable, an "HTTP/1.1 401 Unauthorized" response is returned Workaround / Fix: ----------------- - Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above - Disable the web interface until a firmware upgrade is installed Timeline: --------- Vendor Notified: March 19, 2009 Vendor Status: Replied on March 19 and March 30, vulnerability confirmed Vendor Response: Problem fixed in firmware version 7.1.39/7.3.14. Problem will be fixed in version 6. Patch available: Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14 and above References: ----------- [1]: [2]:


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top