ICE enables VoIP devices to establish peer-to-peer connections using the shortest available network path. The feature is not enabled by default on HP Poly devices, and the company advises administrators to disable it if it’s not needed.
The flaw, rated 9.2 on the CVSS severity scale, affects all phones from the HP Poly VVX series, as well as the Trio 8300, 8500, and 8800 IP conference devices. HP has fixed the flaw in its Poly Unified Communications Software (UCS) versions 6.4.8 for the VVX devices, 8.1.7 for the Trio 8300, and 7.2.8 for Trio 8500 and 8800.
VoIP exploit is public for pen testing
An exploit module targeting this vulnerability has already been developed and released for the widely used Metasploit penetration testing framework that’s maintained by Rapid7.
The exploit executes code as root on an affected device with ICE enabled by sending a SIP INVITE request with a specially crafted candidate attribute. This attribute normally contains a transport address that can be used for connectivity checks and is part of the ICE RFC8839 standard.
