VoIP Security Vulnerabilities

This page is intended to document Security Vulnerabilities that have been publicly disclosed in VoIP products and the fix if available.


Cisco 7920

16th November 2005 - Vulnerability - Fix
1)The SNMP service has fixed community strings that allow remote users to read, write, and erase the configuration of an affected device.

2) An open VxWorks Remote Debugger on UDP port 17185 that may allow an unauthenticated remote user to access debugging information or cause a denial of service.

Hitachi Wireless IP5000

16th November 2005 - Vulnerability - Fix
1) The Hitachi VOIP WIFI phone handset has a default administrator password of "0000" that the user enters in order to access administrator functions when programming the handset via the physical keys. This password appears to be hardcoded and presents a physical vulnerability. If an attacker can physically access the phone (borrow, phone rental scenario, theft, etc.) the attacker can derive sensitive information and modify the phone's configuration.
There appears to be no workaround for this vulnerability.

2) Improper information disclosure: The HTTP daemon default index page discloses what the device is (Hitachi IP5000 phone), the phone software versions, phone MAC address, IP address and routing information. An attacker can use this to discover quickly what the device is and see if there are any associated vulnerabilities. Also, the disclosure of the phone's routing/gateway information can provide an attacker with information for a DoS attack. An attacker does not need to authenticate to the phone to obtain this information from the index page.
Workaround is to disable the HTTP server via the phone's physical interface or via the HTTP interface.

3). Web server default configuration does not require credentials to authenticate. This allows an attacker to access any of the various configuration pages of the phone, changing the phone configuration, etc. Workaround is to disable the HTTP server via the phone's physical interface or via the HTTP interface. The phone user may also set a password via the HTTP interface. Note that the password set page does not require the previous password (an attacker could lock out a user if the initial password is not set), nor does it require the new password to be entered twice (to avoid fat-fingering).

4)The Hitachi IP5000 VOIP WIFI phone SNMP v1/v2c daemon allows read/write access to the phone's SNMP configuration using any credentials. An attacker can use this vulnerability to access the phone's SNMP configuration, potentially reading/writing/erasing sensitive information.
There seems to be no workaround as it appears that the SNMP daemon can neither be disabled, nor can the SNMP daemon read/write strings be modified by the phone user.

5)The Hitachi IP5000 phone has a undocumented open port, TCP/3390, that provides an unauthenticated attacker access to the Unidata Shell created upon connection. This may allow an attacker to access sensitive information and potentially impact the phone's operations in a DoS.
As a workaround, there appears to be no means to disable this port and service, so no workaround appears possible.

Senao SI-680H

16th November 2005 - Vulnerability - No Fix
An undocumented open port, UDP/17185, VxWorks WDB remote debugging (wdbrpc) is left in from development. This open port may allow an attacker unauthenticated access to the phone's OS, perhaps yielding sensitive information, creating opportunities for DoS, etc. There appears to be no workaround to disabling this open port

ZyXEL Prestige 2000W

16th November 2005 - Vulnerability - No Fix
1) The Zyxel P2000W v.1 VOIP WIFI phone has an undocumented port, UDP/9090, that provides an unauthenticated attacker information about the phone, specifically the phone's MAC address and software version is returned upon connection. An attacker can use this vulnerability to easily identify the phone and software version. Also, the undocumented open port may provide an avenue for DoS. There appears to be no workaround for this issue.

2) The Zyxel P2000W v.1 VOIP WIFI phone uses hardcoded DNS servers located in Taiwan for the phone's DNS configuration. Primary DNS IP is 168.95.1.1 resolving to dns.hinet.net. Secondary DNS IP is 139.175.55.244 resolving to dns.seed.net.tw
This configuration places every ZyXel phone using this software at risk of unintentional DoS if the DNS servers in Taiwan become unavailable. If the DNS servers are compromised, all Zyxel phone users worldwide are vulnerable to being redirected to malicious SIP servers, etc. For a temporary workaround users can manually input the IP address of a known, trusted DNS server via the keyboard at each phone start when configured for DHCP or PPOE, however, this will not persist once the phone is restarted.

UTstarcom F1000

16th November 2005 - Vulnerability - Fix
1) UTstarcom F1000 SNMP daemon default public credentials allows an attacker with access to the phone's SNMP daemon to read the phone's SNMP configuration. This can lead to sensitive information disclosure. In addition, the daemon's read/write credentials cannot be changed, nor can the daemon be disabled via the phone's physical interface (i.e. via keypad input). During testing, the SNMP daemon appeared consistently die when connecting via Snmpwalk, requiring rebooting the phone in order to restore SNMP service.

2) The phone's rlogin port TCP/513 is listening by default and requires no authentication. An attacker connecting to the phone via telnet/netcat is dropped into a shell without any log-in. The shell provides an attacker full access to the Vxworks OS, including debugging, direct memory dumping/injection, read/write device, user and network configuration files, enable/disable/restart services, remote reboot.
There appears to be no workaround as neither the service can be disabled, nor can authentication to rlogin be enabled.

  • These problems were identified on UTStarcom's s2.0 software release which was issued in April 2005. They were reported to UTStarcom in June 2005 and all items listed here were corrected by the August 2005 3.1st software release. Current firmware at the time of writing is 3.60st.

Additional Resources



This page is intended to document Security Vulnerabilities that have been publicly disclosed in VoIP products and the fix if available.


Cisco 7920

16th November 2005 - Vulnerability - Fix
1)The SNMP service has fixed community strings that allow remote users to read, write, and erase the configuration of an affected device.

2) An open VxWorks Remote Debugger on UDP port 17185 that may allow an unauthenticated remote user to access debugging information or cause a denial of service.

Hitachi Wireless IP5000

16th November 2005 - Vulnerability - Fix
1) The Hitachi VOIP WIFI phone handset has a default administrator password of "0000" that the user enters in order to access administrator functions when programming the handset via the physical keys. This password appears to be hardcoded and presents a physical vulnerability. If an attacker can physically access the phone (borrow, phone rental scenario, theft, etc.) the attacker can derive sensitive information and modify the phone's configuration.
There appears to be no workaround for this vulnerability.

2) Improper information disclosure: The HTTP daemon default index page discloses what the device is (Hitachi IP5000 phone), the phone software versions, phone MAC address, IP address and routing information. An attacker can use this to discover quickly what the device is and see if there are any associated vulnerabilities. Also, the disclosure of the phone's routing/gateway information can provide an attacker with information for a DoS attack. An attacker does not need to authenticate to the phone to obtain this information from the index page.
Workaround is to disable the HTTP server via the phone's physical interface or via the HTTP interface.

3). Web server default configuration does not require credentials to authenticate. This allows an attacker to access any of the various configuration pages of the phone, changing the phone configuration, etc. Workaround is to disable the HTTP server via the phone's physical interface or via the HTTP interface. The phone user may also set a password via the HTTP interface. Note that the password set page does not require the previous password (an attacker could lock out a user if the initial password is not set), nor does it require the new password to be entered twice (to avoid fat-fingering).

4)The Hitachi IP5000 VOIP WIFI phone SNMP v1/v2c daemon allows read/write access to the phone's SNMP configuration using any credentials. An attacker can use this vulnerability to access the phone's SNMP configuration, potentially reading/writing/erasing sensitive information.
There seems to be no workaround as it appears that the SNMP daemon can neither be disabled, nor can the SNMP daemon read/write strings be modified by the phone user.

5)The Hitachi IP5000 phone has a undocumented open port, TCP/3390, that provides an unauthenticated attacker access to the Unidata Shell created upon connection. This may allow an attacker to access sensitive information and potentially impact the phone's operations in a DoS.
As a workaround, there appears to be no means to disable this port and service, so no workaround appears possible.

Senao SI-680H

16th November 2005 - Vulnerability - No Fix
An undocumented open port, UDP/17185, VxWorks WDB remote debugging (wdbrpc) is left in from development. This open port may allow an attacker unauthenticated access to the phone's OS, perhaps yielding sensitive information, creating opportunities for DoS, etc. There appears to be no workaround to disabling this open port

ZyXEL Prestige 2000W

16th November 2005 - Vulnerability - No Fix
1) The Zyxel P2000W v.1 VOIP WIFI phone has an undocumented port, UDP/9090, that provides an unauthenticated attacker information about the phone, specifically the phone's MAC address and software version is returned upon connection. An attacker can use this vulnerability to easily identify the phone and software version. Also, the undocumented open port may provide an avenue for DoS. There appears to be no workaround for this issue.

2) The Zyxel P2000W v.1 VOIP WIFI phone uses hardcoded DNS servers located in Taiwan for the phone's DNS configuration. Primary DNS IP is 168.95.1.1 resolving to dns.hinet.net. Secondary DNS IP is 139.175.55.244 resolving to dns.seed.net.tw
This configuration places every ZyXel phone using this software at risk of unintentional DoS if the DNS servers in Taiwan become unavailable. If the DNS servers are compromised, all Zyxel phone users worldwide are vulnerable to being redirected to malicious SIP servers, etc. For a temporary workaround users can manually input the IP address of a known, trusted DNS server via the keyboard at each phone start when configured for DHCP or PPOE, however, this will not persist once the phone is restarted.

UTstarcom F1000

16th November 2005 - Vulnerability - Fix
1) UTstarcom F1000 SNMP daemon default public credentials allows an attacker with access to the phone's SNMP daemon to read the phone's SNMP configuration. This can lead to sensitive information disclosure. In addition, the daemon's read/write credentials cannot be changed, nor can the daemon be disabled via the phone's physical interface (i.e. via keypad input). During testing, the SNMP daemon appeared consistently die when connecting via Snmpwalk, requiring rebooting the phone in order to restore SNMP service.

2) The phone's rlogin port TCP/513 is listening by default and requires no authentication. An attacker connecting to the phone via telnet/netcat is dropped into a shell without any log-in. The shell provides an attacker full access to the Vxworks OS, including debugging, direct memory dumping/injection, read/write device, user and network configuration files, enable/disable/restart services, remote reboot.
There appears to be no workaround as neither the service can be disabled, nor can authentication to rlogin be enabled.

  • These problems were identified on UTStarcom's s2.0 software release which was issued in April 2005. They were reported to UTStarcom in June 2005 and all items listed here were corrected by the August 2005 3.1st software release. Current firmware at the time of writing is 3.60st.

Additional Resources



Created by: www.myphonecall.co.uk, Last modification: Thu 05 of Apr, 2007 (10:16 UTC) by qwerty55
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+