As recently discussed in the blogosphere, there have been rumours of security vulnerabilities with the web interface of snom VoIP phones. This has been reported by Compass to snom in March 2009 and has been published recently.

snom, however, had already discovered this vulnerability in December 2008 and a patch was released immediately afterwards. As a result, all snom VoIP phones’ FW-Versions from that time onwards, are fully protected. This is also acknowledged by Compass. snom gives utmost importance to security and privacy of its customers. As a result, we try our level-best to address any possible threats.

All FW-Versions from version 6.5.20, 7.1.39 and 7.3.14 onwards are fully protected. The actual details of the changes are documented in the release notes of the snom firmware-version 7.1.33.

The changes made include the following:

  • added protection against brute force attack to find out the HTTP password (more than three unsuccessfull login attempts will block the Web User Interface (WUI) for 1 minute; further groups of three unsuccessfull logins will double the blocking time respectively)
  • show warning message if Web User Interface (WUI) isn’t secured by admin- and HTTP user password (show a warning hint at the upper right hand corner)
  • html encode Web User Interface (WUI) pages to prevent XSS attacks (this prevents injected (java-)script code to be executed)
  • new configuration parameter use hidden tags to protect the phone against XSRF attacks (because with each new Web User Interface (WUI) page a new hidden security tag is provided only the authenticated user is able to use the Web User Interface (WUI). Faked HTTP POST requests will not work anymore. With use hidden tags enabled you can do a distinct subset of GET requests with parameters only which are needed for the normal usage of the Web User Interface (WUI) (no direct dialing, no remote control is available if enabled. The mentioned functionality only works if the Web User Interface (WUI) is secured via non default admin- and HTTP passwords!)
  • added button to logout an already authenticated session (a missing opportunity has been added to logoff an authenticated user from the Web User Interface (WUI) page; this button will be displayed in the upper right hand corner only if the Web User Interface (WUI) is secured via non default admin- and HTTP passwords!)
  • added initial security advice Web User Interface (WUI) page (a new security advice Web User Interface (WUI) page has been added which will be shown once initially on restart)
  • new warning message and security advice page can be switched off via new configuration parameter ignore security warning (this has been added for backward compatibility reasons)
  • identity based configuration parameter user expiry can be adjusted in seconds now (via Web User Interface (WUI) you can change the value to your needs without using the previous dropdown presets anymore)

Tags: , , , ,