The AudioCodes 400HD series of IP phones consists in a range of easy-to-use, feature-rich desktop devices for the service provider hosted services, enterprise IP telephony and contact center markets.
The CGI scripts used on the 420HD phone (web interface) do not filter user inputs correctly. Consequently, an authenticated attacker could inject arbitrary commands (Remote Code Execution) and takes full control over the device. For example, it is possible to intercept live communications.
CVE ID: CVE-2018-10093
Access Vector: remote
Security Risk: medium
CVSS Base Score: 7.2
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
command.cgi, used for system monitoring and diagnostics, is vulnerable to a remote command execution attack.
/command.cgi?cat%20/etc/passwd gives the following result:
Note that the vulnerable page is only available to authenticated users (in possession of the admin configuration password).
- 06/03/2018 : Initial discovery
- 17/04/2018 : Vendor contact
- 17/05/2018 : Vendor technical team acknowledgment
- 07/01/2019 : Vendor recommendation to mitigate the issue
- 10/01/2019 : Public disclosure
AudioCodes recommends to change the default admin credentials to mitigate the issue.
Theses vulnerabilities have only been tested on the 420HD phone (firmware version: 220.127.116.11).
a.baube at sysdream dot com