Information leak vulnerability in Snom-320 SIP Phone may allow access to use’s call records

Overview

An information leak vulnerability in Snom-320 SIP phone may allow a remote third party to gain access to user’s private call data records.

Impact

User’s privacy is compromised due to un-authenticated access to the call data records through http. This may happen without the knowledge of the user.

Description

Snom-320 SIP phone is a remote-manageable and firmware-upgradeable SIP business telephone. It uses SIP protocol to provide VoIP services to business users. Snom-320 has a built-in web server which supports end-user configuration. The built-in web server listens on standard http port 80.

In addition to port 80, Snom-320 phone has TCP port 1800 open and accessible through http. Accessing port 1800 through a web-browser displays following information without asking for any password (formatted for readability)—
Missed Calls
Date Time Missed Local Identity Number
--/--/---- 5:09PM 1 6000@10.0.250.101 Snom A

Received Calls
Date Time Duration Local Identity Number
--/--/---- 5:10PM 8:23 6000@10.0.250.101

Dialed Numbers
Date Time Duration Local Identity Number
--/--/---- 6:11PM 3:20 6000@10.0.250.101 6007

This allows a remote malicious third party to gain access to user’s private call records.

Solution

Phone web-server implementation should be patched to authenticate users accessing port 1800.

Vendor response:

Snom: More information about the solution is available at http://snom.com/wiki/index.php/Snom320/Firmware/Release_Notes#7.1.6_beta.

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com