-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2021-068 Product: AudioCodes Session Border Controller Manufacturer: AudioCodes Ltd. Affected Version(s): 7.20A.258.826 and earlier (LTS) 7.40A.200.018 and earlier Tested Version(s): 7.40A.100.238 Vulnerability Type: Improper Privilege Management (CWE-269) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2021-11-11 Solution Date: 2022-01-26 Public Disclosure: 2022-02-03 CVE Reference: Not yet assigned Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The AudioCodes Session Border Controllers [1] are used for routing and security purposes for Voice-over-IP services such as SIP Trunks, PBX or e.g. Microsoft Teams. The manufacturer describes the product as follows: "AudioCodes’ Mediant session border controllers (SBCs) deliver seamless connectivity, enhanced security and quality assurance for enterprise and service provider VoIP networks. In the enterprise environment, SBCs form an effective demarcation point between the business’s VoIP network and the service provider’s SIP trunk, performing SIP protocol mediation and media handling (interoperability), and securing the enterprise VoIP network." Due to unauthorized access to configuration parameters in the web management of the Session Border Controller, it is possible to extend the permissions from the "Admin" level to the highest permission level "Security Admin". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: An LDAP connection can be configured on the Session Border Controller, which, for example, queries a specific group from the Active Directory. This group can then be assigned management permissions, e.g. "Admin". However, it is possible for a user with the "Admin" permission level to customize this LDAP connection and thus also the assigned permission level. This allows a privilege escalation from "Admin" to "Security Admin" permissions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Log in to the web management of the Session Border Controller as a user with "Admin" rights. 2. Navigate to "LDAP Servers": "SETUP" > "IP NETWORK" > "RADIUS & LDAP" > "LDAP Servers" 3. Select the LDAP connection where the logged-in management user is queried from. 4. Open the management LDAP group setting by clicking on "Management LDAP Groups n items". 5. Select the group settings of the logged-in management user and click on "Edit" to change the assigned management level. 6. Change management level from "Admin" to "Security Admin" and confirm it with "APPLY". 7. Save the configuration by clicking on the red marked "Save" button. 8. Log out and log in again. Now, "Security Admin" rights are assigned to the management user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The following fixed software versions are provided by the manufacturer: - - 7.20A.258.882 (LTS) - - 7.40A.250.001 Installing one of these software versions on the AudioCodes Session Border Controller will fix the security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-11-10: Vulnerability discovered 2021-11-11: Vulnerability reported to manufacturer 2021-11-11: Confirmation of receipt by the manufacturer 2021-12-06: Information about remediation plans by the manufacturer 2022-01-26: Fixed software versions released by the manufacturer: - 7.20A.258.882 (LTS) - 7.40A.250.001 2022-02-03: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] AudioCodes Session Border Controller Product Site https://www.audiocodes.com/solutions-products/products/session-border-controllers-sbcs [2] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmH6Nk8ACgkQrgyb+PE0 i1NskRAAhZs7GfNwfOtFZqyQW0Vwo2Cnlv21ZPEH/5FGVR0Ant3IEpbr/d7O7IKX fbFocDmNbHBoWp8MFk1AthQ5WynMkiKHAl4I0BrkareTsAIM0+1dlysH5TWRumO/ 8Wi4+u6cpc3PI/yyrEn9lOdmZPji+k+W3RZiXDO3uu01g2LGMmfyNajikYCP7S+A GJuyh4JZxWZjuwq+KHDA0McTaJINVuVnlGBYNi7LV8Ue2SPOBBQGL8uNes6kCjrj rIw3ZDT6ZXS/C0Uv65yEpoIs9zumfKCOYqos9AJ92EOvqtkyFQOWgnjku5uMy3/R z4oFg+mYJdFuKPkOdZ63MzZuVls6qUYoq8enf51EZbCQQNmSTddBSb9YjfZcNzdA wQKkMA4/EKRxpx4uXT3tl049g+2kGxc25uj/NwA3HHVBmRn+J8SH+UMjqpbRQ/p5 nEYuRjg+bcItms/ED/+lJ1X2UEvBaONZzOuN/lY3KcfaY/r/z1lubYuCIlsQ+4/C BlxywKZ6pasMdAQ6pFp7kW2A34yAfJkB9OvFK+Yfz6bxSpOKb6Zi+48dPo1xzLWk 2xBbFsWCmOalmZDJDNqRZd1ORWqynVJTYSdmypXcpau4scEQqRXKgQU7f8TelDCq 3RDcigLyJOr2Hi3zAw1ZFi8F0h4GKq2EXcmmqKVdYQklPto+GvM= =GE3T -----END PGP SIGNATURE-----