VUPEN Security - Security Mailinglists (Mirrored Posts)

	About Us \| Contact Us

VUPEN Free Resources

VUPEN Security Advisories

VUPEN Security Blog & News

Zero-day Attacks Monitor

Daily Security Mailinglist

Explanation of Terms

Advanced Search Engine

>> VUPEN Security / Public Mailing Lists Mirror

Assigned : VUPEN/ADV-2005-2476

From : Shawn Merdinger <shawnmer at gmail.com>
Subject : Zyxel P2000W (Version1) VoIP Wifi phone multiple
Date : 2005-11-16

Original Message

I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.
<https://www.cmpevents.com/CSI32/a.asp?option=G&V=3&id=406438>

Thanks,
Shawn Merdinger

===============================================================
VENDOR:
Zyxel

PRODUCT:
Zyxel P2000W Version 1 VOIP WIFI Phone
http://www.zyxel.com/product/P2000W.php

SOFTWARE VERSION:
Wj.00.10
Feb 05 2005

VENDOR NOTIFIED:
28 June, 2005

VENDOR RESPONSE:
None

A. VULNERABILITY TITLE:
Zyxel P2000W v.1 VOIP WIFI Phone undocumented port UDP/9090

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The Zyxel P2000W v.1 VOIP WIFI phone has an undocumented port, UDP/9090, that provides an unauthenticated attacker information about the phone, specifically the phone's MAC address and software version is returned upon connection. An attacker can use this vulnerabiltiy to easily identiy the phone and software version. Also, the undocumented open port may provide an avenue for DoS. There appears to be no workaround for this issue.

B. VULNERABILITY TITLE:
Zyxel P2000W v.1 VOIP WIFI Phone uses hardcoded DNS servers

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The Zyxel P2000W v.1 VOIP WIFI phone uses hardcoded DNS servers located in Taiwan for the phone's DNS configuration.

Primary DNS IP is 168.95.1.1 resolving to dns.hinet.net
Secondary DNS IP is 139.175.55.244 resolving to dns.seed.net.tw

This configuration places every ZyXel phone using this software at risk of unintentional DoS if the DNS servers in Taiwan become unavailable. If the DNS servers are compromised, all Zyxel phone users worldwide are vulnerable to being redirected to malicious SIP servers, etc. For a temporary workaround users can manually input the IP address of a known, trusted DNS server via the keyboard at each phone start when configured for DHCP or PPOE, however, this will not persist once the phone is restarted.

Disclaimer : VUPEN Security does not endorse the content of this message submitted by others to public mailinglists. Messages submitted to public mailinglists do not necessarily reflect the opinions or policies of VUPEN Security. VUPEN Security makes no warranties, express or implied, as to the content of the message in this page or the accuracy and reliability of any messages and other materials submitted to public mailinglists. Any questions or comments regarding this page should be sent to team@vupen.com

Monthly Statistics

VUPEN Security Advisories By Criticality: Sep 2010
Critical Risk	: 14%
High Risk	: 3%
Moderate Risk	: 45%
Low Risk	: 38%

Get a real-time view of the vulnerabilities affecting your systems using the VUPEN VNS reporting capabilities.

Try VUPEN VNS