AudioCodes VoIP Phones Insufficient Firmware Validation

2023.08.17
Credit: Matthias Deeg
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2023-22955
CWE: CWE-1326

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-055 Product: AudioCodes VoIP Phones Manufacturer: AudioCodes Ltd. Affected Version(s): Firmware Versions >= 3.4.4.1000 Tested Version(s): Firmware Version 3.4.4.1000 Vulnerability Type: Missing Immutable Root of Trust in Hardware (CWE-1326) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2022-11-14 Solution Date: N.A. Public Disclosure: 2023-08-10 CVE Reference: CVE-2023-22955 Authors of Advisory: Matthias Deeg, SySS GmbH Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: AudioCodes VoIP phones are modern desk phones which are used for the operation in enterprise environments. The manufacturer describes the product as follows (see [1]): "The AudioCodes 400HD series of IP phones is a range of easy-to-use, feature-rich desktop devices for the service provider hosted services, enterprise IP telephony and contact center markets. Based on the same advanced, field-proven underlying technology as our other VoIP products, AudioCodes high quality IP phones enable systems integrators and end customers to build end-to-end VoIP solutions." Due to insufficient firmware validation, an attacker can store malicious firmware on AudioCodes IP phones. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the firmware image and update mechanism of AudioCodes IP phones, it was identified that parsing and verification of the firmware image is done by the ELF executable "flasher" which is executed from the script "run_ramfs_for_upgrade.sh" located at the path "/home/ipphone/scripts/". When analyzing the software tool "flasher", SySS found out that the validation of firmware images only consists of simple checksum checks for different firmware components. Thus, by knowing how to calculate and where to store the required checksums for the "flasher" tool, an attacker is able to store malicious firmware on AudioCodes IP phones. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An AudioCodes IP phone's firmware image file contains an image header followed by different sections, e.g.: 1. Firmware image header 2. bootloader.img 3. rootfs.ext4 4. phone.img 5. section.map 6. flasher 7. release 8. end.section Each section starts with the 4 magic bytes "0xBB 0xBB 0xBB 0xBB" followed by a 4-byte section header size field ("0x60 0x00 0x00 x00") and other metadata like length fields and a checksum at the offset 0x50. This checksum is calculated by adding up all bytes of the section data starting at the section offset 0x60. As a proof of concept, a manipulated firmware image file was created in which an additional user with root privileges was added in the "rootfs.ext4" section. After recalculating the checksum and updating the section header with its checksum, the manipulated firmware image could be successfully uploaded and installed on an AudioCodes IP phone. To automate this task, a simple Python script has been developed to deal with AudioCodes IP phone firmware images. The following output exemplarily shows how a modified firmware image for the AudioCodes IP phone C450HD was updated with correct checksums: #> python3 audiocodes-firmware-tool.py -i AudioCodes_UCC450HD_3.4.6.604.1.img -u AudioCodes Firmware Tool v0.3 by Matthias Deeg - SySS GmbH (c) 2022 - --- Image infos =========== Hardware: C450HD Software: UC_3.4.6.604.1 Version: 25 (0x19) Number of sections: 4 Header length: 112 (0x70) Checksum: 0x00000877 Calculated checksum: 0x00000877 Attribute: 7 (0x00000007) Date: 2021-12-13_09:07:38 CE5: 0 - --- Section name: bootloader.img Section checksum: 0x0247D1A3 Calculated checksum: 0x0247D1A3 Data size (8-byte aligned): 423992 (0x67838) Data size : 423992 (0x67838) - --- Section name: rootfs.ext4 Section checksum: 0x78EF3E3D Calculated checksum: 0x78EF3E6D Data size (8-byte aligned): 134238208 (0x8005000) Data size : 134238208 (0x8005000) - --- [...] [*] Saved updated firmware image to AudioCodes_UCC450HD_3.4.6.604.1.img.new ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Not yet fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-11-10: Vulnerability discovered 2022-11-14: Vulnerability reported to manufacturer 2022-12-12: Vulnerability confirmed by AudioCodes Ltd. 2023-01-19: AudioCodes Ltd. informs that a solution is planned in 2023 2023-07-13: AudioCodes Ltd. sets solution date to the end of 2023 2023-08-10: Public disclosure at BlackHat USA[4] 2023-08-11: Public disclosure athttps://blog.syss.com[5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] AudioCodes IP Phones Product Website https://www.audiocodes.com/solutions-products/products/ip-phones [2] SySS Security Advisory SYSS-2022-055 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] BlackHat USA Briefings Session https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341 [5] Detailed Blog Post https://blog.syss.com/posts/zero-touch-pwn/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg and Moritz Abrell of SySS GmbH. E-Mail:matthias.deeg@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc Key Fingerprint: D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30ZUACgkQrgyb+PE0 i1NVOxAAsQxeEAuUDwJYIx9/dmnE8TOyl+f9VKtxO7OMSCtsFcbhFTKQD1jm1lMl DKd0HAhWNWi5r87cf4tAUy8QD8NKrXCZljdUE93ZRmwWZHNmuTiyjCHzTHFr/qLG rcfjiaSZawaeaSUE8LSFrZhXiYoWe+ZHsebnm96/DkMryCJ6txbXFKQlKY/MtKSb iinmG6bcWGrlTJXO91OROnpmMioVDIW8YeGaoh87oaLlAsHTCBaKJgdndo3hi5QA 2k0aRsbunJ2UyBAKA2OPwNO+FoHJ4mBvu9b+HZYEUyhtqZ898pjxJg52C7lXfcui wpb4Chh7thVhvjogMnchV1BUSRxbigoeYHywp54YxLTX336wuu0mLYjdalnB0Abx ejiz0ShqznYCkiKfsj+D7kh7DE+uwX5kVQGREFwu0gnJBQsibYgUCUplCM4Ybov7 gHmz1QwRg0pZ4OZLw3bzZeVcXQ/PrCUGDPpILg6IVW5o6bweAnpMsa5v3HhWtN7V LYGq9FlhhejuCajfYW4NbURCBjNfaC1Bb3xEIEM0bPDZMIgl8uK8UZKtNazSYkgM LXo4psv8CwNnUVV1vnw76xvacn6B+UwpiTLNiNCuhuVcBXPp3j9VwiwzWjrsotL4 Gl6ukPl08qS8Z1tGTBtTeWT5qJ1M+ne/9eQtzxgWH2Y3kBwko+U= =wsHl -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top