-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

﻿Advisory ID:               SYSS-2024-078
Product:                   Mediant Session Border Controller
Manufacturer:              AudioCodes Ltd.
Affected Version(s):       < 7.40A.501.841  
Tested Version(s):         7.40A.600.014 
Vulnerability Type:        Inadequate Encryption Strength (CWE-326)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2024-08-30
Solution Date:             2025-02-03
Public Disclosure:         2025-02-07
CVE Reference:             CVE-2024-52884
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

AudioCodes Mediant Session Border Controllers (SBCs) are widely employed SBCs 
used, e.g., for intercompability of SIP services and to secure Voice-over-IP 
communication flow.

The manufacturer describes the product as follows (see [1]):

"AudioCodes Mediant session border controllers (SBCs) deliver seamless 
connectivity, enhanced security and voice quality assurance for any 
voice communications environment and at any scale. Our wide range of 
platforms includes cloud-native, virtualized and appliance SBCs for 
enterprises and service providers. They are also available as a service 
through the AudioCodes Live portfolio as well as via our self-service 
portal.

AudioCodes Mediant SBCs facilitate secured voice and video communications, 
delivering uninterrupted business voice services by leveraging advanced 
high availability and resiliency mechanisms. In cloud deployments, 
they deliver unmatched scale and cost optimization of cloud resources 
with real-time dynamic elasticity.

Mediant SBCs are certified by the leading unified communications (UC) 
providers, such as Microsoft Teams (Direct Routing and Operator Connect), 
Zoom and RingCentral, as well as by contact center providers such as 
Genesys (Engage and Cloud), Microsoft Dynamics 365 and Avaya.

The SBCs typically connect between UC, contact center and SIP trunk 
services, supporting an enterprise’s co-existence or migration strategies 
and protecting it from fraud and malicious attacks. Some AudioCodes SBCs 
feature PSTN interfaces to allow connectivity to legacy equipment if 
required."

Due to the use of weak password obfuscation/encryption, an attacker with 
access to configuration exports (INI) is able to decrypt the passwords.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By reverse engineering the main binary "TPApp" of an AudioCodes SBC, the 
password obfuscation/encryption could be reconstructed.

The algorithm itself is based on simple XOR operations with a dynamically 
generated and password-based key.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

A Python script was developed to reimplement the password encryption.

Example #1:
    Decrypt an encrypted password:

        1. Encrypted password:
            bTkGBgM4AT0bASUSGwwIHg==

        2. Decrypting the password:
            #> python3 tool.py -d bTkGBgM4AT0bASUSGwwIHg==
            ThisIsNotSecure

Example #2:
    Generating an encrypted password:

        #> python3 tool.py -e ThisIsNotSecure
        b'bTkGBgM4AT0bASUSGwwIHg=='

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends updating to version 7.40A.501.841.
It is also required to set an individual encryption key.[4]


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2023-11-13: Vulnerability discovered
2024-08-30: Vulnerability reported to manufacturer
2024-09-02: Asked manufacturer for reception
2024-09-02: Manufacturer confirms reception
2024-09-18: Requested a status update from the manufacturer
2024-09-19: Manufacturer responded with the investigation state
2024-11-18: Informed manufacturer about the assigend CVE-ID: CVE-2024-52884
2024-11-18: Manufacturer informed that a fix is planned for December 2, 2024
2024-12-04: Asked manufacturer for a fixed version
2024-12-09: Manufacturer mentioned that the vulnerability is fixed
2024-12-20: Recognized that the mentioned solution did not address the 
            reported vulnerability; asked the manufacturer for more information
2025-01-08: Manufacturer confirmed that the mentioned fix did not address
            the reported vulnerability; the fix is moved to the next 
            manintenance release planned for early February
2025-01-16: Asked for the expected release date
2025-01-16: Manufacturer informed that the release date is planned for
            February 3, 2025.
2025-02-03: Manufacturer published a fixed version[4]
2025-02-07: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] AudioCodes OVOC product website
    https://www.audiocodes.com/solutions-products/products/session-border-controllers-sbcs
[2] SySS Security Advisory SYSS-2024-078
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-078.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] AudioCodes SBC release notes
    https://www.audiocodes.com/media/h3yfqroz/sbc-gateway-release-notes-for-long-term-support-lts-versions-740a500.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmekd9gACgkQrgyb+PE0
i1PKyBAAmmfiFHREgKxPKQJEBYcpjzFdFmqSAfXqOHB2DDkQ/sDBNnw8cofXqVrt
aMpbjSl7nVcv1P4XHEl7RwYKQBJ35JjFkWL3YEfoF6aa8kl7djDOfvMAhV2NboeI
OzYzyMrSRh5iH15KSCnrKJAh3dgRiaSV3Sng/8pOlORJQ9GPW1/7TmKmav26AB1n
VNMAR22rnE9am7iYLcjx+rNWJsr0h+LPE2I/yDXrIchUAWtWoFDAli1hD+Wky/XN
7xvjW3tHvbAWVNlQxMoOzLbERLW8PYlQVIdV9UcL6FykOQe9C7IDKcO/tOigfW67
zd4MmUgJs5wghM4ZD6BkWjyAT1SC10q/l0SpYDTf9HuJc7SaWZ5323TSbSU7tIlI
ytunirM4lm/N2KHR/lziO9PP40v63io9uiteGflAqpaxpq+RDVxQxAw1hZIEfkEB
DL8kNpRRwgA/ZiH43kgUUvZs58lFHSy13XDV3DMeA47cwLEvOaYVWPhVYR5CwZh0
oW+1A4xL6ekNFHw+isI35J25+/Fejn4zpdx64kbD3j4ja9dQPC/luYYCQKXBXpCb
37NVUpQBC2Z5ibzq0q0Rroti9TpbcHgrR3Zys8aBArxS8f34u/WXje6B4mK0BltJ
IfqoPpHEZzDEvbXm34WRjGyQmwZ/KBOqb45ZOLibxaHOHxPYZiM=
=xZww
-----END PGP SIGNATURE-----