CVE-2023-22957

An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is able to decrypt encrypted values and retrieve sensitive information, e.g., the device root password.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
audiocodesc470hd_firmware
𝑥
≤ 3.4.4.1000
audiocodesc455hd_firmware
𝑥
≤ 3.4.4.1000
audiocodesc435hd_firmware
𝑥
≤ 3.4.4.1000
audiocodes445hd_firmware
𝑥
≤ 3.4.4.1000
audiocodes405hd_firmware
𝑥
≤ 3.4.4.1000
audiocodesc450hd_firmware
𝑥
≤ 3.4.4.1000
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/174215/AudioCodes-VoIP-Phones-Hardcoded-Key.html
http://seclists.org/fulldisclosure/2023/Aug/15
https://syss.de
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-052.txt
http://packetstormsecurity.com/files/174215/AudioCodes-VoIP-Phones-Hardcoded-Key.html
http://seclists.org/fulldisclosure/2023/Aug/15
https://syss.de
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-052.txt