Risk | Low |
Patch available | NO |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-18567 |
CWE-ID | CWE-300 |
Exploitation vector | Local network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
450HD IP Phone Mobile applications / Mobile firmware & hardware 440HD IP Phone Mobile applications / Mobile firmware & hardware |
Vendor | AudioCodes |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU15554
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:P/RL:U/RC:C]
CVE-ID: CVE-2018-18567
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attacks.
The vulnerability exists due to the application does not perform proper validation of the X.509 certificates when used with an on-premise installation with Skype for Business. A remote attacker can obtain sensitive credential information.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
450HD IP Phone: 3.1.1.43.1 - 3.1.2.89
440HD IP Phone: 3.1.1.43.1 - 3.1.2.89
External linkshttp://seclists.org/bugtraq/2018/Oct/32
http://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-026.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.