Pierluigi Paganini
August 14, 2023
Researchers from security firm SySS discovered multiple vulnerabilities in AudioCodes desk phones and Zoom’s Zero Touch Provisioning (ZTP) that could be exploited by an attacker to conduct several attacks.
The experts presented their findings at the Black Hat USA security conference last week.
An attacker can trigger the vulnerabilities to eavesdrop on rooms or phone calls, pivot through the devices and breach into corporate networks, deliver bot.
“An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.’s desk phones and Zoom’s Zero Touch Provisioning feature can gain full remote control of the devices.” reads the advisory published by SySS.
Automatic provisioning procedures are essential for configuration of new VoIP devices and their management. The procedures allow administrators to provide device information such as server addresses, account information, and firmware updates.
Furthermore, these procedures allow for efficient central management of the devices after initial provisioning, enabling organizations to easily monitor, troubleshoot and update the devices as needed.
In order to implement automatic provision in conventional on-premise VoIP installations, admistrators install a simple web server within the local network. The server is used to provide configurations and firmware updates to the devices.
The researchers discovered that client-side authentication while fetching configuration files from the ZTP service is not implemented. In this scenario, an attacker can act as a rogue server and distribute malicious firmware.
The researchers also discovered multiple authentication issues in the cryptographic routines of AudioCodes VoIP desk phones. Threat actors can exploit these vulnerabilities to decrypt sensitive information, including as passwords and configuration files. A remote attacker can exploit these issues to access such files and data due to improper authentication,
“During our security analysis, we identified multiple vulnerabilities in Zoom’s and AudioCodes’ provisioning concept as well as in certified hardware. When combined, these vulnerabilities can be used to remotely take over arbitrary devices.” reads the advisory. “We have demonstrated that the combination of advanced cloud-based communication solutions like Zoom, along with traditional technologies like VoIP devices, can be a desirable target for attackers.”
Below is the list of vulnerabilities discovered by the researchers:
| Product | Vulnerability Type | SySS ID | CVE ID |
|---|---|---|---|
| AudioCodes IP-Phones (UC) | Use of Hard-coded Cryptographic Key (CWE-321) | SYSS-2022-052 | CVE-2023-22957 |
| AudioCodes Provisioning Service | Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) | SYSS-2022-053 | N.A. |
| AudioCodes IP-Phones (UC) | Use of Hard-coded Cryptographic Key (CWE-321) | SYSS-2022-054 | CVE-2023-22956 |
| AudioCodes IP-Phones (UC) | Missing Immutable Root of Trust in Hardware (CWE-1326) | SYSS-2022-055 | CVE-2023-22955 |
| Zoom Phone System Management | Unverified Ownership (CWE-283) | SYSS-2022-056 | N.A. |
“As of July 21, we have implemented a restriction for new customers that prevents the use of customized URLs for firmware within the Zoom Phone provisioning template. We also plan on implementing additional security enhancements later this year.” a Zoom spokesman told SecurityAffairs.
I reached out to the company for additional clarifications, below are some of them:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Zoom’s Zero Touch Provisioning)
