CVE-2023-22957

CVSS V2 None CVSS V3 None

Description

An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is able to decrypt encrypted values and retrieve sensitive information, e.g., the device root password.

Overview

CVE ID
CVE-2023-22957

Assigner
cve@mitre.org

Vulnerability Status
Analyzed

Published Version
2023-08-11T20:15:14

Last Modified Date
2023-08-22T16:45:55

Weakness Enumerations

CWE	URL
CWE-798	http://cwe.mitre.org/data/definitions/798.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
		AND
cpe:2.3:o:audiocodes:c470hd_firmware::::::::	1	OR	3.4.4.1000
cpe:2.3:h:audiocodes:c470hd:-:::::::*	0	OR
		AND
cpe:2.3:o:audiocodes:c455hd_firmware::::::::	1	OR	3.4.4.1000
cpe:2.3:h:audiocodes:c455hd:-:::::::*	0	OR
		AND
cpe:2.3:o:audiocodes:c435hd_firmware::::::::	1	OR	3.4.4.1000
cpe:2.3:h:audiocodes:c435hd:-:::::::*	0	OR
		AND
cpe:2.3:o:audiocodes:445hd_firmware::::::::	1	OR	3.4.4.1000
cpe:2.3:h:audiocodes:445hd:-:::::::*	0	OR
		AND
cpe:2.3:o:audiocodes:405hd_firmware::::::::	1	OR	3.4.4.1000
cpe:2.3:h:audiocodes:405hd:-:::::::*	0	OR
		AND
cpe:2.3:o:audiocodes:c450hd_firmware::::::::	1	OR	3.4.4.1000
cpe:2.3:h:audiocodes:c450hd:-:::::::*	0	OR

References

Reference URL	Reference Tags
http://packetstormsecurity.com/files/174215/AudioCodes-VoIP-Phones-Hardcoded-Key.html	Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2023/Aug/15	Exploit Mailing List Third Party Advisory
https://syss.de	Not Applicable
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-052.txt	Exploit Vendor Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-22957
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22957

History

Created	Old Value	New Value	Data Type	Notes
2023-09-06 03:39:45				Added to TrackCVE
2023-09-06 03:39:47			Weakness Enumeration	new