Weak authentication vulnerability in Snom-320 SIP phone may allow a remote attacker to misuse the phone

Overview

A weak-authentication vulnerability in http implementation of Snom-320 SIP phone may allow a remote attacker to invoke phones calling features without authentication.

Impact

Attacker may cause multiple phones in an enterprise to ring simultaneously causing havoc. Toll calls may also be initiated on behalf of un-suspecting users.

Description

Snom-320 SIP phone is a remote-manageable and firmware-upgradeable SIP business telephone. It uses SIP protocol to provide VoIP services to business users. Snom-320 has a built-in web server which supports end-user configuration. The built-in web server listens on standard http port 80.

In addition to port 80, Snom-320 phone has TCP port 1800 open and accessible through http. If a remote attacker is able to send an HTTP GET request to port 1800 of Snom-320 phone, s/he may misuse the phone to call a random number. Successfully sending such random http requests to several phones in an enterprise will ring large number of phones simultaneously. In case of SIP Trunking, attacker may be able to initiate calls to toll numbers on behalf of un-suspecting users and increase billing.

Solution

Phone web-server implementation should be patched to authenticate access to port 1800.

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com