I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.
<https://www.cmpevents.com/CSI32/a.asp?option=G&V=3&id=406438>

Thanks,
Shawn Merdinger

===============================================================
VENDOR:
Zyxel

PRODUCT:
Zyxel P2000W Version 1 VOIP WIFI Phone
http://www.zyxel.com/product/P2000W.php

SOFTWARE VERSION:
Wj.00.10
Feb 05 2005

VENDOR NOTIFIED:
28 June, 2005

VENDOR RESPONSE:
None

A.  VULNERABILITY TITLE:
Zyxel P2000W v.1 VOIP WIFI Phone undocumented port UDP/9090

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The Zyxel P2000W v.1 VOIP WIFI phone has an undocumented port,
UDP/9090, that provides an unauthenticated attacker information about
the phone, specifically the phone's MAC address and software version
is returned upon connection. An attacker can use this vulnerabiltiy to
easily identiy the phone and software version. Also, the undocumented
open port may provide an avenue for DoS. There appears to be no
workaround for this issue.

B.  VULNERABILITY TITLE:
Zyxel P2000W v.1 VOIP WIFI Phone uses hardcoded DNS servers

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The Zyxel P2000W v.1 VOIP WIFI phone uses hardcoded DNS servers located
in Taiwan for the phone's DNS configuration.

Primary DNS IP is 168.95.1.1 resolving to dns.hinet.net
Secondary DNS IP is 139.175.55.244 resolving to dns.seed.net.tw

This configuration places every ZyXel phone using this software at
risk of unintentional DoS if the DNS servers in Taiwan become
unavailable.  If the DNS servers are compromised, all Zyxel phone
users worldwide are vulnerable to being redirected to malicious SIP
servers, etc. For a temporary workaround users can manually input the
IP address of a known, trusted DNS server via the keyboard at each
phone start when configured for DHCP or PPOE, however, this will not
persist once the phone is restarted.