innovaphone IP222 11r2 sr9 Brute Force

Credit: Sven Freund
Risk: Low
Local: No
Remote: Yes
CWE: CWE-307

Advisory ID: SYSS-2016-018 Product: innovaphone IP222 Manufacturer: innovaphone AG Affected Version(s): 11r2 sr9 Tested Version(s): 11r2 sr9 Vulnerability Type: Improper Restriction of Excessive Authentication Attempts (CWE-307) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2016-03-04 Solution Date: Unknown Public Disclosure: 2016-03-24 CVE Reference: Not yet assigned Author of Advisory: Sven Freund (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The innovaphone IP222 is a Voice over IP telephone solution, which provides many communication functionalities, for instance, announcement function, password protected administration via web browser (HTTPS), multiple registration up to six users at the same time and many other features. The manufacturer innovaphone AG describes the product as follows (see [1]): "The IP222 telephone unites a very modern design with groundbreaking technological details. It belongs to the innovaphone product family that won the popular 'red dot award: product design'." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The innovaphone IP222 provides a password protected administration interface, which can be accessed via a web browser. Although the basic authentication was disabled and instead the digest authentication is used, it is still possible to perform brute-force attacks against the password authentication process. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The innovaphone IP222 provides a password protected administration interface, which could be accessed via a web browser, but possesses no countermeasures against brute-force attacks. Therefore, it is possible to perform brute-force attacks with common tools like Nmap or Hydra: nmap -p80 --min-rate=200 --script http-brute --script-args http-brute. path="CMD0/mod_cmd.xml" -d (...) Overall sending rates: 1042.75 packets / s. NSE: Script scanning NSE: Starting runlevel 1 (of 1) scan. NSE: Starting http-brute against Initiating NSE at 16:24 NSE: Discovered account: test:test - Valid credentials Due to the current configuration settings, the sending rate for a web based brute-force attack is almost 1042.75 packets per second. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by the innovaphone AG, the described security issue has been addressed by the following workaround: Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-03-04: Vulnerability reported to manufacturer 2016-03-09: Manufacturer acknowledges e-mail with SySS security advisory and described the security issue as fixed 2016-03-24: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web Site for innovaphone IP222 [2] SySS Security Advisory SYSS-2016-018 [3] SySS Responsible Disclosure Policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sven Freund of the SySS GmbH. E-Mail: sven.freund (at) Public Key: Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top