CVE-2024-29149
📋 TL;DR
This CVE describes a time-of-check time-of-use (TOCTOU) vulnerability in Alcatel-Lucent ALE deskphones that allows authenticated attackers to replace legitimate firmware with malicious firmware during updates. Attackers could gain persistent control over affected devices. Users of specific NOE and SIP deskphone models with vulnerable firmware versions are affected.
💻 Affected Systems
- Alcatel-Lucent ALE NOE deskphones
- Alcatel-Lucent ALE SIP deskphones
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing persistent backdoor installation, credential theft, call interception, and lateral movement within the phone network.
Likely Case
Unauthorized firmware modification leading to device malfunction, data exfiltration, or use as pivot point for network attacks.
If Mitigated
Limited impact with proper network segmentation, firmware validation, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access and precise timing during firmware update process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 86x8_NOE-R300.1.40.12.4180 for NOE, after 86x8_SIP-R200.1.01.10.728 for SIP
Vendor Advisory: https://www.al-enterprise.com/-/media/assets/internet/documents/n-to-s/sa-c0071-ed01.pdf
Restart Required: Yes
Instructions:
1. Download latest firmware from Alcatel-Lucent support portal. 2. Upload to phone management system. 3. Schedule firmware update for affected devices. 4. Verify successful update completion.
🔧 Temporary Workarounds
Disable automatic firmware updates
allPrevent automatic firmware updates that could be intercepted
Configure phone system to require manual approval for all firmware updates
Network segmentation
allIsolate phone network from critical systems
Implement VLAN segmentation for VoIP devices
Configure firewall rules to restrict phone network access
🧯 If You Can't Patch
- Implement strict access controls to phone management interfaces
- Monitor for unauthorized firmware modification attempts
🔍 How to Verify
Check if Vulnerable:
Check phone firmware version via web interface or management console against affected version rangesCheck Version:
Access phone web interface at http://[phone-ip]/ or use management console to check firmware versionVerify Fix Applied:
Confirm firmware version is above vulnerable versions: NOE > R300.1.40.12.4180, SIP > R200.1.01.10.728📡 Detection & Monitoring
Log Indicators:
- Unexpected firmware update attempts
- Authentication failures followed by firmware modification
- Firmware version changes outside maintenance windows
Network Indicators:
- Unusual traffic patterns during firmware update windows
- Connections to unexpected external IPs during updates
SIEM Query:
source="phone_system" AND (event="firmware_update" OR event="firmware_modification")🔗 References
- https://www.al-enterprise.com/-/media/assets/internet/documents/n-to-s/sa-c0071-ed01.pdf
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-010.txt
- https://www.al-enterprise.com/-/media/assets/internet/documents/n-to-s/sa-c0071-ed01.pdf
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-010.txt
