-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-053
Product: innovaphone IP222/IP232
Manufacturer: innovaphone AG
Affected Version(s): 11r1s r2
Tested Version(s): 11r1s r2
Vulnerability Type: Denial of Service (CWE-730)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2015-09-02
Solution Date: unknown
Public Disclosure: 2016-03-04
CVE Reference: Not yet assigned
Author of Advisory: Alexander Brachmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The innovaphone IP222 and IP232 are IP telephones with many features.

The manufacturer innovaphone describes the products as follows (see [1], 
[2]):

"The IP222 telephone unites a very modern design with groundbreaking
technological details. It belongs to the innovaphone product family that
won the popular "red dot award: product design".

(...)

The innovaphone IP232 IP phone unites a very modern design with 
groundbreaking technological details. It belongs to the innovaphone 
design telephone product range that won the coveted "red dot award: 
product design"."

Due to a vulnerability in the H.323 network service on the TCP port
1720, the telephone can be restarted in an unauthorized manner by
an attacker causing a denial-of-service condition.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A not further analyzed vulnerability in the H.323 network service on the
TCP port 1720 of the IP telephone IP222 can be exploited by an attacker on
the same network to reboot the telephone in an unauthorized way.

This vulnerability can be used for denial-of-service attacks against the
IP222 telephone at arbitrary states, for example during a call.

If the IP222 telephone is configured in such a way that its users are
not automatically logged in after a reboot, the impact of this
denial-of-service attack is even bigger as user interaction is required
to restore the IP telephone to the previous working state.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The IP telephone IP222 can be rebooted in an unauthorized way by sending
random data to its H.323 network service on the TCP port 1720, for
example by using the following command:

$ cat /dev/urandom | nc <IP ADDRESS> 1720

Before rebooting, the CPU register state is shown on the telephone's
display (white text on red background).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to test results of the SySS GmbH with a newer firmware
version 11r2 sr9, the reported security issue was fixed by the
manufacturer.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-09-04: Vulnerability reported to manufacturer
2015-09-07: Manufacturer acknowledges e-mail with SySS security advisory
            and asks for further information
2015-09-08: Response to open question
2015-11-06: E-mail to manufacturer asking about the current state of the
            reported security issue
2015-11-06: Manufacturer cannot reproduce the security issue
            Providing detailled information how the security
            vulnerability can be triggered
2015-11-09: E-mail to manufacturer asking about the current state of the
            reported security issue
2015-11-12: Further e-mail to manufacturer asking about the current
            state of the reported security issue
2016-03-03: Test of the security vulnerability with the newer firmware
            version 11r2 sr9 where no DoS condition could be triggered
            anymore
2016-03-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] innovaphone IP222 product Web site
    http://www.innovaphone.com/en/ip-telephony/ip-phones/ip222.html
[2] innovaphone IP232 product Web site
    http://www.innovaphone.com/en/ip-telephony/ip-phones/ip232.html
[3] SySS Security Advisory SYSS-2015-053
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-053.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Alexander Brachmann of the 
SySS GmbH.

E-Mail: alexander.brachmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Alexander_Brachmann.asc
Key fingerprint = 8E49 74AF 34A6 E600 E958 FB63 2E8E 1546 17DE CFFE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" and 
without warranty of any kind. Details of this security advisory may be updated 
in order to provide as accurate information as possible. The latest version of 
this security advisory is available on the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEAREKAAYFAlbZRTsACgkQLo4VRhfez/6SfACgn5/C92L79sVNEcAUBdSo6RZF
Sc4An07SEfFnu6Jyz9jL/bd9tHJ8t7Tj
=T67e
-----END PGP SIGNATURE-----