After my Snom VoIP phone hacked article, I received a response from snom indicating that the vulnerability had more to do with a user not setting a password on the IP phone than any sort of bug or vulnerability in the snom firmware itself. Well that's certainly good news. I guess users or IT administrators that don't set passwords on the IP phones have only themselves to blame if their phones are hacked.This direct from Snom...
CVE-2008-1248:
Yes, you can send an HTTP-POST to the phone and let it dial a number. But you can protect your phone by setting a password. If you set a password then nobody can post an HTTP request to dial a number. The statement in the referred web site that Snom phone don't support passwords is wrong. You can set a password to protect your phone. And you should do it if your phone is connected to the Internet directly.
Our next firmware release will warn the user that no password is set and that his phone is vulnerable.
This is not a real vulnerability, so we can't say a particular firmware is affected, since you can avoid it by setting a password
CVE-2008-1249:
Yes, this is possible right now when the flash plugin is enabled. But the flash plugin is not enabled by default in current firmwares. So a phone is not vulnerable unless you enable the flash plugin. But you can protect your phone by setting a password like for CVE-2008-1248.
Our next firmware release will warn the user that no password is set and that his phone is vulnerable.
Our release after the next will change the flash plugin so that this isn't possible any more.
This is not a real vulnerability, so we can't say a particular firmware is affected, since you can avoid it by setting a password
CVS-2008-1250:
Yes, Snom phone are vulnerable to cross-site request forgery (CSRF). All firmware up to V7.1.30 are affected.
We have changed our web frontend. It uses tokens and html-encoding for values entered in input fields now. Our next firmware release will not be vulnerable to CSRF any more.
CVS-2008-1251:
Yes, Snom phone are vulnerable to Cross-site scripting (XSS). All firmware up to V7.1.30 are affected.
We have changed our web frontend. It uses tokens and html-encoding for values entered in input fields now. Our next firmware release will not be vulnerable to XSS any more.
We also created a website:
http://www.snom.com/javascriptsecurity.html
Technorati
Del.icio.us
Slashdot
Digg
twitter
Yes, of course setting the password protects the phones from getting hacked. Its good to have passwords especially for the phones having snom VoIP. This should be done carefully.
It is a necessary to set passwords to your IP because if not they can be hacked and we face lots of problems.