CVE-2018-18566

An attacker on the same network sends a crafted SIP OPTIONS request to the phone's SIP service on TCP port 5060 [ref_id=1]. The phone responds with a 200 OK message that includes the configured user's name and phone number in the `To` and `P-Preferred-Identity` headers, as well as the device model and firmware version in the `User-Agent` header [ref_id=1]. No authentication is required; the attacker only needs network access to the target phone's SIP port [ref_id=1].

The SIP service running on TCP port 5060 is the vulnerable component. The advisory identifies the affected firmware versions as Polycom VVX 500 and 601 devices with firmware version 5.8.0.12848 and earlier [ref_id=1]. No specific source file or function is named in the advisory.

The advisory states that the solution is to install new firmware which disables the SIP service by default [ref_id=1]. No patch diff is available in the bundle. The fix closes the vulnerability by removing the network-accessible SIP service that was leaking configuration data, preventing unauthenticated remote queries from returning sensitive phone information [ref_id=1].

Use the provided shell script `getdatafrompolycom.sh` which sends a crafted SIP OPTIONS request to the target phone's TCP port 5060. Set the `OWNIP` variable to the attacker's IP address and pass the target IP as a command-line argument. The phone responds with a 200 OK message containing the configured user name and phone number in the `To` and `P-Preferred-Identity` headers [ref_id=1].