Experts found multiple flaws in AudioCodes desk phones and Zoom’s Zero Touch Provisioning (ZTP)

Pierluigi Paganini August 14, 2023

Multiple flaws in AudioCodes desk phones and Zoom’s Zero Touch Provisioning (ZTP) can expose to several attacks.

Researchers from security firm SySS discovered multiple vulnerabilities in AudioCodes desk phones and Zoom’s Zero Touch Provisioning (ZTP) that could be exploited by an attacker to conduct several attacks.

The experts presented their findings at the Black Hat USA security conference last week.

An attacker can trigger the vulnerabilities to eavesdrop on rooms or phone calls, pivot through the devices and breach into corporate networks, deliver bot.

“An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.’s desk phones and Zoom’s Zero Touch Provisioning feature can gain full remote control of the devices.” reads the advisory published by SySS.

Automatic provisioning procedures are essential for configuration of new VoIP devices and their management. The procedures allow administrators to provide device information such as server addresses, account information, and firmware updates.

Furthermore, these procedures allow for efficient central management of the devices after initial provisioning, enabling organizations to easily monitor, troubleshoot and update the devices as needed.

In order to implement automatic provision in conventional on-premise VoIP installations, admistrators install a simple web server within the local network. The server is used to provide configurations and firmware updates to the devices.

The researchers discovered that client-side authentication while fetching configuration files from the ZTP service is not implemented. In this scenario, an attacker can act as a rogue server and distribute malicious firmware.

Zoom's Zero Touch Provisioning

The researchers also discovered multiple authentication issues in the cryptographic routines of AudioCodes VoIP desk phones. Threat actors can exploit these vulnerabilities to decrypt sensitive information, including as passwords and configuration files. A remote attacker can exploit these issues to access such files and data due to improper authentication,

“During our security analysis, we identified multiple vulnerabilities in Zoom’s and AudioCodes’ provisioning concept as well as in certified hardware. When combined, these vulnerabilities can be used to remotely take over arbitrary devices.” reads the advisory. “We have demonstrated that the combination of advanced cloud-based communication solutions like Zoom, along with traditional technologies like VoIP devices, can be a desirable target for attackers.”

Below is the list of vulnerabilities discovered by the researchers:

ProductVulnerability TypeSySS IDCVE ID
AudioCodes IP-Phones (UC)Use of Hard-coded Cryptographic Key (CWE-321)SYSS-2022-052CVE-2023-22957
AudioCodes Provisioning ServiceExposure of Sensitive Information to an Unauthorized Actor (CWE-200)SYSS-2022-053N.A.
AudioCodes IP-Phones (UC)Use of Hard-coded Cryptographic Key (CWE-321)SYSS-2022-054CVE-2023-22956
AudioCodes IP-Phones (UC)Missing Immutable Root of Trust in Hardware (CWE-1326)SYSS-2022-055CVE-2023-22955
Zoom Phone System ManagementUnverified Ownership (CWE-283)SYSS-2022-056N.A.

“As of July 21, we have implemented a restriction for new customers that prevents the use of customized URLs for firmware within the Zoom Phone provisioning template. We also plan on implementing additional security enhancements later this year.” a Zoom spokesman told SecurityAffairs.

I reached out to the company for additional clarifications, below are some of them:

  • Zoom is not the only company that offers zero-touch provisioning, but we were the only company featured in your story and in this research.
  • This attack method relies on exploitable vulnerabilities associated with the target devices manufactured by another company (not Zoom).
  • Zoom has additional security enhancements planned for later this year, including monitoring for and detection of abnormal provisioning behavior, limiting accounts to a default maximum number of unassigned devices, and automatically removing unassigned devices from accounts after a set time period.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zoom’s Zero Touch Provisioning)

you might also like

leave a comment