-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-079 Product: One Voice Operations Center (OVOC) Manufacturer: AudioCodes Ltd. Affected Version(s): < 8.4.582 Tested Version(s): 8.2.3122 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-08-30 Solution Date: 2024-10-20 Public Disclosure: 2025-02-07 CVE Reference: CVE-2024-52881 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: AudioCodes OVOC is used for central management and logging/monitoring of AudioCodes devices. The manufacturer describes the product as follows (see [1]): "AudioCodes One Voice Operations Center (OVOC) is a voice network management solution that combines management of voice network devices and quality of experience monitoring into a single, intuitive application. OVOC enables administrators to adopt a holistic approach to network lifecycle management by simplifying everyday tasks and assisting in troubleshooting all the way from detection to correction. OVOC can be deployed in service provider and enterprise networks and supports end-to-end quality of experience monitoring in Microsoft Teams environments. OVOC provides IT staff with single pane of glass through which they can manage and monitor VoIP devices and elements from a single centralized location, saving time and costs. Tasks normally considered to be complex and time-consuming, such as performing root cause analysis, provisioning new devices and initiating bulk software updates, can now be carried out simply and rapidly. OVOC’s open APIs enable integration with 3rd party applications to provide additional functionality such as enhanced voice analytics and data-layer monitoring." Due to the use of a hardcoded key, an attacker is able to decrypt sensitive data such as passwords extracted from the topology file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The topology files "topology.xml" and "MGsTopologyList.csv" include (administrative) passwords of assigned devices such as Session Border Controllers. By reverse engineering the OVOC server.jar, the responsible class "com.audioCodes.ems.utilities.topologyUpgrade.AbstractTopologyLoader" was identified. The function "getDecryptPassword" of this class decrypts the passwords using AES-128-CBC with a static key and IV. Besides the key being static, it is also relatively weak and easily guessable. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Encrypted password: qAaAagl9xzOwEvAusWoMUA== 2. Decrypt password using the extracted key and IV: #> echo -n "qAaAagl9xzOwEvAusWoMUA==" | base64 -d | openssl enc -aes128 -d -K 1234567890123456################ -iv 1034669823332212################ -nopad -in - DoNotUseHardKeys ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer recommends updating to OVOC version 8.4.582. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-11-13: Vulnerability discovered 2024-08-30: Vulnerability reported to manufacturer 2024-09-02: Asked manufacturer for reception 2024-09-02: Manufacturer confirms reception 2024-09-18: Requested a status update from the manufacturer 2024-09-19: Manufacturer responded with the investigation state 2024-10-02: Manufacturer mentioned that a fix is planned for the next software release 2024-10-29: Manufacturer informed that a fix is released on October 20, 2024; fixed version: 8.4.582 2024-11-18: Informed manufacturer about the assigend CVE-ID: CVE-2024-52881 2025-02-07: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] AudioCodes OVOC product website https://www.audiocodes.com/solutions-products/products/management-products-solutions/one-voice-operations-center [2] SySS Security Advisory SYSS-2024-079 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-079.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmekd+8ACgkQrgyb+PE0 i1MQXw//QMdXCGQzvLfxjZKtzlII7yXnTupNUEu0Gcpu2I39NmCExfjrAJyKHC3F tZxxNK6WLuL1VE6r2aPkx4j63QyGKLR+zjwxRYMmoPZZ+VBBfEOOlO1mwGnfFvrX cr3+w4q1gBJh8qWWS8ZXv4Yv+uJgpi5rooEFH+XPHO+FIRZZTPIhBNYpZEuPOSZS y7YNVfGts0khs92PJkfbkVm34hrlVYVqQJMpvI2DDifQxkaf6QuhaPzSZyP5npsi 2QZjeA6gehMz1gmHSO72DSc1uo9XECU5pWnLx/dDoKd2qNwrnXjRg612NVi2gVM+ +/uNH1uNrAoivrHPbKf75ypvBUDc2/MBzj/pmq48+zF3rt8Nzjobp8VJNv7tt4O/ oPQEeIKcmfC2eI4XRE/BhvSO8Q55OX5ZzbuD69z/aYrxV/PI8qxPVtqrtu/GwdJ0 D/3EfblYjLeR/58C6lY1Szj3PCC59r8wQbBeFVvA1qpFcQH03eZG9TaFkFbGJlsD tAdvH4nPBZ4wq1BtBgL6CZVs0G0GWLjCX6w/lrqJJrqL2fbXoAbs+fENM5Ypf9tx Jt3NWTBoxOzcGtNVt1nEE1Ygo9GspUOnwv2kYeIoaCKzxzEx9dmotxu7Ld4hW+ri Bhwxe3Z3KyxxL7GRbKmZxT23TXcPk+qkKcrpQHd9QBiFgeZVfWQ= =whNM -----END PGP SIGNATURE-----