A number of safety vulnerabilities have been disclosed in AudioCodes desk telephones and Zoom’s Zero Contact Provisioning (ZTP) that may very well be probably exploited by a malicious attacker to conduct distant assaults.
“An exterior attacker who leverages the vulnerabilities found in AudioCodes Ltd.’s desk telephones and Zoom’s Zero Contact Provisioning characteristic can achieve full distant management of the units,” SySS safety researcher Moritz Abrell mentioned in an evaluation printed Friday.
The unfettered entry may then be weaponized to listen in on rooms or cellphone calls, pivot by way of the units and assault company networks, and even construct a botnet of contaminated units. The analysis was introduced on the Black Hat USA safety convention earlier this week.
The issues are rooted in Zoom’s ZTP, which permits IT directors to configure VoIP units in a centralized method such that it makes it straightforward for organizations to watch, troubleshoot and replace the units as and when required. That is achieved via an internet server deployed inside the native community to supply configurations and firmware updates to the units.
Particularly, it was discovered to lack client-side authentication mechanisms through the retrieval of configuration recordsdata from the ZTP service, thereby resulting in a situation the place an attacker may probably set off the obtain of malicious firmware from a rogue server.
The examine additional uncovered improper authentication points within the cryptographic routines of AudioCodes VoIP desk telephones (which help Zoom ZTP) that enable for the decryption of delicate info, corresponding to passwords and configuration recordsdata transmitted by way of a redirection server utilized by the cellphone to fetch the configuration.
The dual weaknesses, i.e., the unverified possession bug and flaws within the licensed {hardware}, may then be usual into an exploit chain to ship malicious firmware by abusing Zoom’s ZTP and triggering arbitrary units into putting in it.
“When mixed, these vulnerabilities can be utilized to remotely take over arbitrary units. As this assault is extremely scalable, it poses a major safety threat,” Abrell mentioned.
The disclosure arrives almost a yr after the German cybersecurity firm recognized a safety challenge in Microsoft Groups Direct Routing performance that might render installations prone to toll fraud assaults.
“An exterior, unauthenticated attacker is ready to ship specifically crafted SIP messages that faux to originate from Microsoft and are subsequently accurately categorized by the sufferer’s Session Border Controller,” Abrell famous on the time. “Because of this, unauthorized exterior calls are made by way of the sufferer’s cellphone line.”
