-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-017 Product: innovaphone IP222 Manufacturer: innovaphone AG Affected Version(s): 11r2 sr9 Tested Version(s): 11r2 sr9 Vulnerability Type: Improper Input Validation (CWE-20) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2016-03-04 Solution Date: Unknown Public Disclosure: 2016-03-24 CVE Reference: Not yet assigned Author of Advisory: Sven Freund (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The innovaphone IP222 is a Voice over IP telephone solution, which provides many communication functionalities, for instance, announcement function, password protected administration via web browser (HTTPS), multiple registration up to six users at the same time and many other features. The manufacturer innovaphone AG describes the product as follows (see [1]): "The IP222 telephone unites a very modern design with groundbreaking technological details. It belongs to the innovaphone product family that won the popular 'red dot award: product design'." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: At startup the innovaphone IP222 sends an HTTP request for a special PNG file to the involved server system. After the download has finished, the image is displayed on the phone by selecting the receiver screen in the menu. Providing a large image file (6.9 MB) within the download process and selecting the receiver screen on the phone will lead to a crash of the application and cause a denial of service condition. Remote code execution via this security vulnerability may also be possible, but was not confirmed by the SySS GmbH. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The innovaphone IP222 sends the following HTTP request to the server system during startup. GET /mypbx_logo.png HTTP/1.1 User-Agent: innovaphone-IP222/113392 Host: 192.168.5.27 If the server system answers this request with a large PNG file, the innovaphone IP222 will crash and restart when selecting the receiver screen in the menu. Remote code execution via this security vulnerability may also be possible, but was not confirmed by the SySS GmbH. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by the innovaphone AG, the described security issue has been fixed in software version v12r1 / v11r2sr12. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-03-04: Vulnerability reported to manufacturer 2016-03-09: Manufacturer acknowledges e-mail with SySS security advisory and described the security issue as fixed 2016-03-24: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web Site for innovaphone IP222 https://www.innovaphone.com/en/ip-telefonie/ip-telefone/ip222.html [2] SySS Security Advisory SYSS-2016-017 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-017.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sven Freund of the SySS GmbH. E-Mail: sven.freund (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJW86afAAoJEIpfqFNBXUbcnmQH/A++TsYSIHOB81z+j/YmNnBZ yyhAw3q2zvcFcg4jfH2Z2bCspaBzYNbwT3SmN3eesE3kd0z/wm9pFvRDDAns1W3b ciYdK4289waDfDUlniw8usc5UjbGPdwKPVRwzFFckMEJC58PUWZ/XEs5X6oBZNwf 9rKTMIjCJyxOE+7mv7R8jD7E52iGM+dlqS296WDZJvzLCjCBA9ORMRZhFAA8ywdq hSilfN30ouXyI0eSEn7TmyjZsip9ED9ixmmxEyPrM4noA30YGV3tRJ4aznAve7B9 wxFBdD119ag/3NyHAmm970jVo58oQwOuQWFtEZvuhEPklRIpgz+gencfR6FMCTA= =0xAE -----END PGP SIGNATURE-----