I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.
<https://www.cmpevents.com/CSI32/a.asp?option=G&V=3&id=406438>

Thanks,
Shawn Merdinger

===============================================================
VENDOR:
Hitachi

PRODUCT:
Hitachi IP5000 VOIP WIFI Phone
https://www.wirelessip5000.com/

SOFTWARE VERSION:
v1.5.6

VENDOR NOTIFIED:
28 June, 2005

VENDOR RESPONSE:
None.  However, issues addressed at
https://www.hitachi-cable.co.jp/ICSFiles/infosystem/security/76659792_e.pdf

A.  VULNERABILITY TITLE:
Hitachi IP5000 VOIP WIFI Phone handset hardcoded administrator password

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
1.  The Hitachi VOIP WIFI phone handset has a default administrator
password of "0000" that the user enters in order to access
administrator functions when
programming the handset via the physical keys. This password appears to be
hardcoded and presents a physical vulnerability. If an attacker can physically
access the phone (borrow, phone rental scenario, theft, etc.) the attacker can
derive sensitive information and modify the phone's configuration. There
appears to be no workaround for this vulnerability.

B.  VULNERABILITY TITLE:
Hitachi IP5000 VOIP WIFI phone HTTP server vulnerabilities

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The HTTP server (port TCP/8080) on the Hitachi IP5000 phone has two security
issues:

1. Improper information disclosure: The HTTP daemon default index page
discloses what the device is (Hitachi IP5000 phone), the phone software
versions, phone MAC address, IP address and routing information. An
attacker can use this to discover quickly what the device is and see if there
are any associated vulnerabilities. Also, the disclosure of the phone's
routing/gateway information can provide an attacker with information for a
DoS attack. An attacker does not need to authenticate to the phone to obtain
this information from the index page. Workaround is to disable the HTTP
server via the phone's physical interface or via the HTTP interface.

2. Web server default configuration does not require credentials to
authenticate.
This allows an attacker to access any of the various configuration pages of the
phone, changing the phone configuration, etc. Workaround is to disable the
HTTP server via the phone's physical interface or via the HTTP interface. The
phone user may also set a password via the HTTP interface. Note that the
password set page does not require the previous password (an attacker could
lock out a user if the initial password is not set), nor does it require the new
password to be entered twice (to avoid fat-fingering).

C.  VULNERABILITY TITLE:
Hitachi IP5000 VOIP WIFI Phone SNMP daemon vulnerabilities

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:

1. The Hitachi IP5000 VOIP WIFI phone SNMP v1/v2c daemon allows
read/write access to the phone's SNMP configuration using any credentials. An
attacker can use this vulnerability to access the phone's SNMP configuration,
potentially reading/writing/erasing sensitive information. There seems to be no
workaround as it appears that the SNMP daemon can neither be disabled, nor
can the SNMP daemon read/write strings be modified by the phone user.

D.  VULNERABILITY TITLE:
Hitachi IP5000 VOIP WIFI Phone undocumented port TCP/3390 Unidata Shell

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:

1.  The Hitachi IP5000 phone has a undocumented open port, TCP/3390, that
provides an unauthenticated attacker access to the Unidata Shell created upon
connection. This may allow an attacker to access sensitive information and
potentially impact the phone's operations in a DoS. As a workaround, there
appears to be no means to disable this port and service, so no workaroud
appears possible.