AudioCodes VoIP Phones Hardcoded Key

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2022-054  
Product: AudioCodes VoIP Phones  
Manufacturer: AudioCodes Ltd.  
Affected Version(s): Firmware Versions >= 3.4.8.M4  
Tested Version(s): Firmware Version 3.4.4.1000  
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)  
Risk Level: Medium  
Solution Status: Open  
Manufacturer Notification: 2022-11-11  
Solution Date: N.A.  
Public Disclosure: 2023-08-10  
CVE Reference: CVE-2023-22956  
Author of Advisory: Moritz Abrell, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
AudioCodes VoIP phones are modern desk phones which are used for the  
operation in enterprise environments.  
  
The manufacturer describes the product as follows (see [1]):  
  
"The AudioCodes 400HD series of IP phones is a range of easy-to-use,  
feature-rich desktop devices for the service provider hosted services,  
enterprise IP telephony and contact center markets. Based on the same  
advanced, field-proven underlying technology as our other VoIP products,  
AudioCodes high quality IP phones enable systems integrators and end  
customers to build end-to-end VoIP solutions."  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The AudioCodes VoIP phones can be managed centrally, whereby configuration  
files are provided and requested by the phones at a central location.  
These configuration files can also be provided in encrypted form.  
This is intended to protect sensitive information within the configuration  
files from unauthorized access.  
  
Due to the use of a hardcoded cryptographic key, an attacker is able to  
decrypt encrypted configuration files and retrieve sensitive information.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
By analyzing the ELF executable "decryption_tool" of an AudioCodes IP phone  
firmware in a disassembler and decompiler, e.g. Ghidra, the encryption  
mechanism could be reversed and the hardcoded cryptographic key could be  
extracted.  
  
Used encryption algorithm: Triple DES in CBC mode  
Memory address of the 64-byte secret for OpenSSL key and IV derivation: 00001e8f  
  
Extracting the secret:  
#> offset=$(python3 -c 'print(int("00001e8f", base=16))')  
#> dd skip=$offset count=64 if=decryption_tool of=secret.bin bs=1  
  
Deriving the key and IV from the 64-byte secret:  
#> openssl enc -des-ede3-cbc -P -pass pass:h4dArat[...] -nosalt  
  
key = 40DA61FB4831FF53[...]  
iv = C614B77A[..]  
  
With the derived key and IV, it is possible to decrypt encrypted configuration  
files.  
  
As a proof of concept, the OpenSSL command-line tool can be used for  
decryption:  
#> openssl enc -d -des-ede3-cbc -pass pass:h4dArat[...] -nosalt \  
-in /tmp/encrypted_config.cfg -out /tmp/plain_config.cfg  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Update devices to firmware version 3.4.8.M4 and define an individual and  
strong secret from which the encryption key is derived.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2022-11-03: Vulnerability discovered  
2022-11-11: Vulnerability reported to manufacturer  
2022-12-12: Vulnerability confirmed by AudioCodes Ltd.  
2023-01-19: AudioCodes Ltd. adapts the documentation so that it no  
longer states that the passwords are encrypted but obfuscated  
2023-07-13: AudioCodes Ltd. informs that the upcoming release 3.4.8.M4  
will include a feature that allows setting a custom password  
from which the key will be derived  
2023-08-10: Public disclosure at BlackHat USA[4]  
2023-08-11: Public disclosure athttps://blog.syss.com[5]  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] AudioCodes IP Phones Product Website  
https://www.audiocodes.com/solutions-products/products/ip-phones  
[2] SySS Security Advisory SYSS-2022-054  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-054.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
[4] BlackHat USA Briefings Session  
https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341  
[5] Detailed Blog Post  
https://blog.syss.com/posts/zero-touch-pwn/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Moritz Abrell of SySS GmbH.  
  
E-Mail:[email protected]  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30X4ACgkQrgyb+PE0  
i1O6EQ//fO27JxW5z0SwoMTfeW/ciyFskSLhAC3fK3NFGKO6fdvGiZR0wrY6ar4E  
VxSpYp2QIqxrr5SDGJlm3DBTzsRT7aQPz/kQn7YvB78MsMf7aMxd7Z1cGyuI5qb4  
YElvIPtRnkcgovNoVeoxqgUVIFxI6xFSYXmU1camUpjO7wq5R8aH7uhJsbdbvQBE  
xlObEWNOzafpo0zwyvc3GjinzZSsmVw9uIGeJyZprBctW4HKos1ReI9/0+UPmXuW  
dafHOPtuuRaE4g+pLsUhVxEO+XcAnjEd1ZwhWIJpYgGMNyceN4muHDToxPwNLZh2  
QJQHKr3JguxSpsS1Kp16WJawY7YIfkA7tBRmlIv/Oil/XhcJF7efgAwVZLD6vEpN  
ZFU/kQTdy8TOnPQue40qB4WVmhq5YvffsVrP97rjhNHRA0Pk9ytxruMr0p09blJ6  
5vhAss7cOaFZlFJFs7OGRLe/jpc1blySBUYsLjnm+OZ2rLWbe0R9VFYMsovzUu1W  
4HxlXZo41yN/VKPUNvMA4tGZ8+dXLBx+p5x0KKossp+ZWkOFwG9+tqK2ZOsagMV6  
Y5XZb66xK8a5R6N0dgbpOpIsvV+lpQJPMFY2sfsK8n1k/b7b5uoxLKbH/AflPWRD  
dvKvVKkrUvxx2NHtVM4EdFcrsnE6b/s+1H7X6bXzD5KkeW6vIkc=  
=Mo8G  
-----END PGP SIGNATURE-----  
`