An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. The validation of firmware images only consists of simple checksum checks for different firmware components. Thus, by knowing how to calculate and where to store the required checksums for the flasher tool, an attacker is able to store malicious firmware.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/174214/AudioCodes-VoIP-Phones-Insufficient-Firmware-Validation.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2023/Aug/17 | Mailing List Third Party Advisory |
https://syss.de | Not Applicable |
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
History
22 Aug 2023, 17:09
Type | Values Removed | Values Added |
---|---|---|
First Time |
Audiocodes c435hd Firmware
Audiocodes 445hd Firmware Audiocodes c470hd Firmware Audiocodes c450hd Firmware Audiocodes c470hd Audiocodes c455hd Firmware Audiocodes 405hd Firmware Audiocodes c435hd Audiocodes c450hd Audiocodes c455hd Audiocodes 405hd Audiocodes 445hd Audiocodes |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
CWE | CWE-345 | |
CPE | cpe:2.3:o:audiocodes:c470hd_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:audiocodes:c450hd:-:*:*:*:*:*:*:* cpe:2.3:o:audiocodes:c455hd_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:audiocodes:405hd:-:*:*:*:*:*:*:* cpe:2.3:o:audiocodes:405hd_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:audiocodes:c450hd_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:audiocodes:c455hd:-:*:*:*:*:*:*:* cpe:2.3:h:audiocodes:445hd:-:*:*:*:*:*:*:* cpe:2.3:h:audiocodes:c470hd:-:*:*:*:*:*:*:* cpe:2.3:h:audiocodes:c435hd:-:*:*:*:*:*:*:* cpe:2.3:o:audiocodes:c435hd_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:audiocodes:445hd_firmware:*:*:*:*:*:*:*:* |
|
References | (MISC) http://packetstormsecurity.com/files/174214/AudioCodes-VoIP-Phones-Insufficient-Firmware-Validation.html - Third Party Advisory, VDB Entry | |
References | (MISC) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt - Exploit, Vendor Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Aug/17 - Mailing List, Third Party Advisory | |
References | (MISC) https://syss.de - Not Applicable |
17 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
11 Aug 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-11 20:15
Updated : 2023-12-10 15:14
NVD link : CVE-2023-22955
Mitre link : CVE-2023-22955
CVE.ORG link : CVE-2023-22955
JSON object : View
Products Affected
audiocodes
- 405hd
- c450hd_firmware
- c435hd_firmware
- 405hd_firmware
- 445hd
- c470hd
- c435hd
- 445hd_firmware
- c455hd
- c450hd
- c455hd_firmware
- c470hd_firmware
CWE
CWE-345
Insufficient Verification of Data Authenticity