The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Aastra Phone

computer vulnerability alert 12616

Aastra Phone 6753i: denial of service via telnet

Synthesis of the vulnerability

An attacker can connect via telnet on Aastra Phone, in order to trigger a denial of service.
Impacted products: Aastra Phone.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 08/04/2013.
Identifiers: BID-58935, DEF30173/CLN30178/CLN30179, VIGILANCE-VUL-12616.

Description of the vulnerability

The Aastra 6753i IP Telephone has a telnet access.

However, the password for the "admin" user is constant. An attacker can thus login on the phone. It can be noted that entered commands usually lead to a system stop.

An attacker can therefore connect via telnet on Aastra Phone, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 12281

Aastra 6753i IP Telephone: obtaining the configuration

Synthesis of the vulnerability

An attacker, who owns an Aastra 6753i IP Telephone phone, can obtain fragments from the configuration of other phones.
Impacted products: Aastra Phone.
Severity: 1/4.
Consequences: privileged access/rights, data reading.
Provenance: intranet client.
Creation date: 04/01/2013.
Identifiers: BID-57151, VIGILANCE-VUL-12281.

Description of the vulnerability

When an Aastra 6753i phone starts, it downloads its configuration from a TFTP server. This configuration is stored in a ".tuz" file, which is encrypted with TripleDES, in ECB mode. The phone downloads this file, and decrypts it using the key it owns.

However, the ECB mode does not chain operations, and does not use a counter. Each block of 8 bytes is encrypted independently. Moreover, the encryption key is shared between all phones.

An attacker can connect to the TFTP server, in order to download the configuration of another phone. He can then replace 8 bytes of his own encrypted configuration, with 8 bytes coming from the other configuration, and then invite his phone to download this newly created ".tuz" file . The phone then decrypts the configuration, including the 8 bytes from the other phone configuration.

An attacker, who owns an Aastra 6753i IP Telephone phone, can therefore obtain fragments from the configuration of other phones.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 10724

Aastra IP Phone: password disclosure

Synthesis of the vulnerability

An attacker can connect to the web service of the Aastra IP Phone, in order to read the user password.
Impacted products: Aastra Phone.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 09/06/2011.
Identifiers: BID-48264, VIGILANCE-VUL-10724.

Description of the vulnerability

Each Aastra IP Phone is associated to a user, via his Caller ID and his Authentication Name/Password. These information are transmitted to the SIP server (PBX) during the initialization phase.

The phone has a web service, which displays its SIP configuration:
 - http://ip/globalSIPsettings.html
 - http://ip/SIPsettingsLine1.html
However, these pages contain the Caller ID and Authentication Name/Password fields.

An attacker can therefore connect to the web service of the Aastra IP Phone, in order to read the user password.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.