CVE-2018-18568

An attacker on the same network performs ARP spoofing to redirect the phone's traffic through a proxy (e.g., Burp Suite) [ref_id=1]. The phone attempts HTTPS connections to the autodiscover endpoint but does not validate the X.509 certificate presented by the attacker's proxy [CWE-300]. The attacker then suppresses the Negotiate and NTLM WWW-Authenticate headers, causing the phone to downgrade to HTTP Basic authentication and transmit the stored Active Directory credentials as Base64-encoded plaintext [ref_id=1].

The advisory does not identify specific source files or functions. The vulnerability exists in the HTTPS client implementation of Polycom VVX 500/601 devices (firmware version 5.8.0.12848 and earlier) when handling the autodiscover endpoint for Skype for Business on-premise deployments [ref_id=1].

No patch or fix has been published by the vendor. The advisory notes the solution status as "Open" as of the public disclosure date [ref_id=1]. The recommended remediation would require Polycom to implement proper X.509 certificate validation in the phone's HTTPS client to prevent man-in-the-middle attacks [ref_id=1].

1. Set up Burp Suite as an invisible proxy on the attacker machine. 2. Run ARP spoofing against the phone: `arpspoof -i eth0 -t 192.168.100.101 192.168.100.1`. 3. Redirect HTTPS traffic to Burp Suite: `iptables -A PREROUTING -t nat -i eth0 -s 192.168.100.101 -p tcp --dport 443 -j REDIRECT --to-port 8080`. 4. In Burp Suite, configure rules to suppress the `WWW-Authenticate: Negotiate` and `WWW-Authenticate: NTLM` response headers. 5. Monitor proxy history for a POST request to `/autodiscover/autodiscover.xml` containing an `Authorization: Basic` header. 6. Decode the Base64-encoded credential string [ref_id=1].