I disclosed today the following vulnerabilities at the 32nd CSI conference in Washington, D.C. Thanks, Shawn Merdinger =============================================================== VENDOR: Zyxel PRODUCT: Zyxel P2000W Version 1 VOIP WIFI Phone http://www.zyxel.com/product/P2000W.php SOFTWARE VERSION: Wj.00.10 Feb 05 2005 VENDOR NOTIFIED: 28 June, 2005 VENDOR RESPONSE: None A. VULNERABILITY TITLE: Zyxel P2000W v.1 VOIP WIFI Phone undocumented port UDP/9090 VULNERABILITY DETAILS, IMPACT AND WORKAROUND: The Zyxel P2000W v.1 VOIP WIFI phone has an undocumented port, UDP/9090, that provides an unauthenticated attacker information about the phone, specifically the phone's MAC address and software version is returned upon connection. An attacker can use this vulnerabiltiy to easily identiy the phone and software version. Also, the undocumented open port may provide an avenue for DoS. There appears to be no workaround for this issue. B. VULNERABILITY TITLE: Zyxel P2000W v.1 VOIP WIFI Phone uses hardcoded DNS servers VULNERABILITY DETAILS, IMPACT AND WORKAROUND: The Zyxel P2000W v.1 VOIP WIFI phone uses hardcoded DNS servers located in Taiwan for the phone's DNS configuration. Primary DNS IP is 168.95.1.1 resolving to dns.hinet.net Secondary DNS IP is 139.175.55.244 resolving to dns.seed.net.tw This configuration places every ZyXel phone using this software at risk of unintentional DoS if the DNS servers in Taiwan become unavailable. If the DNS servers are compromised, all Zyxel phone users worldwide are vulnerable to being redirected to malicious SIP servers, etc. For a temporary workaround users can manually input the IP address of a known, trusted DNS server via the keyboard at each phone start when configured for DHCP or PPOE, however, this will not persist once the phone is restarted. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/