CVE-2023-47304: Unsecured UART in Vonage Box Telephone Adapter VDV23 (SW VDV21-3.2.11-0.5.1)

I was experimenting with a Vonage device that I own and discovered a few header pins installed on the board by default that appeared in the configuration of a UART test point.

I hooked the board up to a Tigard (FTDI) and was able to view the UART output. 

Once I was on there it showed that I needed a username/password to authenticate to the device (which was a good sign):

After running the boot sequence a few times I noticed there were options "1", "2", and "p" on the boot sequence. Options "1" and "2" seemed to boot into a regular boot image.

The image that is loaded appears to be VDV21-3.2.11-0.5.1. I tried "p" and this asked me to enter configuration details for the router. After I hit enter through the defaults I found that the device returned to a default menu of some kind.

From within this menu I found that I was able to read/write to memory without any authentication whatsoever, which would likely lead to code execution with a bit more work. Currently it just operates as a data leak / denial-of-service in that I can crash the router on boot.

After looking at the boot sequence in more depth I noticed that it returned memory addresses and other information that could be useful to an attacker or a malicious actor seeking to gain access to your intellectual property by dumping the device's firmware using the arbitrary read/write accessible here.