[NEWS] Hitachi IP5000 VOIP WIFI Phone Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 11/21/05

  • Next message: SecuriTeam: "[NT] Qualcomm WorldMail IMAP Server Directory Traversal" 
    To: list@securiteam.com
Date: 21 Nov 2005 16:30:44 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Hitachi IP5000 VOIP WIFI Phone Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.wirelessip5000.com/> WirelessIP5000 is an all-around wireless
    IP phone supporting the Session Initiation Protocol (SIP).

    Multiple security vulnerabilities have been discovered in Hitachi's
    IP5000 VOIP WIFI Phone.

    DETAILS

    Vulnerable Systems:
     * Hitachi IP5000 VOIP WIFI Phone, Firmware version 1.5.6

    Hitachi IP5000 VOIP WIFI Phone handset hardcoded administrator password:
    The Hitachi VOIP WIFI phone handset has a default administrator password
    of "0000" that the user enters in order to access administrator functions
    when programming the handset via the physical keys.

    This password appears to be hardcoded and presents a physical
    vulnerability. If an attacker can physically access the phone (borrow,
    phone rental scenario, theft, etc.) the attacker can derive sensitive
    information and modify the phone's configuration.

    There appears to be no workaround for this vulnerability.

    Hitachi IP5000 VOIP WIFI phone HTTP server vulnerabilities:
    The HTTP server (port TCP/8080) on the Hitachi IP5000 phone has two
    security
    issues:

    1. Improper information disclosure:
    The HTTP daemon default index page discloses what the device is (Hitachi
    IP5000 phone), the phone software versions, phone MAC address, IP address
    and routing information. An attacker can use this to discover quickly what
    the device is and see if there are any associated vulnerabilities. Also,
    the disclosure of the phone's routing/gateway information can provide an
    attacker with information for a DoS attack. An attacker does not need to
    authenticate to the phone to obtain this information from the index page.
    Workaround is to disable the HTTP server via the phone's physical
    interface or via the HTTP interface.

    2. Web server default configuration does not require credentials to
    authenticate.
    This allows an attacker to access any of the various configuration pages
    of the phone, changing the phone configuration, etc.

    Workaround is to disable the HTTP server via the phone's physical
    interface or via the HTTP interface. The phone user may also set a
    password via the HTTP interface.

    Note that the password set page does not require the previous password (an
    attacker could lock out a user if the initial password is not set), nor
    does it require the new password to be entered twice (to avoid
    fat-fingering).

    Hitachi IP5000 VOIP WIFI Phone SNMP daemon vulnerabilities:
    The Hitachi IP5000 VOIP WIFI phone SNMP v1/v2c daemon allows read/write
    access to the phone's SNMP configuration using any credentials.

    An attacker can use this vulnerability to access the phone's SNMP
    configuration, potentially reading/writing/erasing sensitive information.

    There seems to be no workaround as it appears that the SNMP daemon can
    neither be disabled, nor can the SNMP daemon read/write strings be
    modified by the phone user.

    Hitachi IP5000 VOIP WIFI Phone undocumented port TCP/3390 Unidata Shell:
    The Hitachi IP5000 phone has a undocumented open port, TCP/3390, that
    provides an unauthenticated attacker access to the Unidata Shell created
    upon connection. This may allow an attacker to access sensitive
    information and potentially impact the phone's operations in a DoS.

    As a workaround, there appears to be no means to disable this port and
    service, so no workaroud appears possible.

    Vendor response:
    None. However, issues addressed at:
     
    <http://www.hitachi-cable.co.jp/ICSFiles/infosystem/security/76659792_e.pdf> http://www.hitachi-cable.co.jp/ICSFiles/infosystem/security/76659792_e.pdf

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:shawnmer@gmail.com> Shawn
    Merdinger.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Qualcomm WorldMail IMAP Server Directory Traversal"