SB2023031315 - Multiple vulnerabilities in Akuvox E11

Description

This security bulletin contains information about 13 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2023-0348)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information on the system.

The vulnerability exists due to improper access restrictions within SIP calls. A remote attacker can activate the camera and microphone and contact any device within Akuvox to call any other device.

2) Command Injection (CVE-ID: CVE-2023-0351)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in the device phone-book contacts functionality in the "call log" page. A remote attacker on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Missing Authentication for Critical Function (CVE-ID: CVE-2023-0354)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to missing authentication for a critical function. A remote attacker on the local network can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Storing passwords in a recoverable format (CVE-ID: CVE-2023-0353)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the affected product uses a weak encryption algorithm for stored passwords and a hard-coded password for decryption. A remote attacker can cause the encrypted passwords to be decrypted from the configuration file.

5) Missing Authorization (CVE-ID: CVE-2023-0349)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to a missing permission check in libvoice library. A remote attacker on the local network can view and record image and video from the camera.

6) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2023-0355)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a hard-coded cryptographic key. A remote attacker on the local network can decrypt sensitive information.

7) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2023-0352)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a weak password recovery mechanism for forgotten password. A remote attacker can download the device key file and reset the password back to the default.

8) Reliance on File Name or Extension of Externally-Supplied File (CVE-ID: CVE-2023-0350)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the affected product does not ensure that a file extension is associated with the file provided. A remote attacker can change the extension of a malicious file to an accepted file type and upload a file to the device.

9) Information disclosure (CVE-ID: CVE-2023-0347)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can identify the device on the Akuvox cloud.

10) Improper Authentication (CVE-ID: CVE-2023-0346)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when cloud login is performed through an unencrypted HTTP connection. A remote attacker can gain access to the Akuvox cloud and device if the MAC address of a device is known.

11) Use of hard-coded credentials (CVE-ID: CVE-2023-0345)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code within the secure shell (SSH) server. A remote attacker can access the affected system using the hard-coded credentials.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

12) Hidden functionality (CVE-ID: CVE-2023-0344)

The vulnerability allows a remote attacker to compromise vulnerable system

The vulnerability exists due to the affected software uses a custom version of dropbear SSH server. A remote attacker can use this functionality to gain full access to the application and compromise the affected system.

13) Not Using an Unpredictable IV with CBC Mode (CVE-ID: CVE-2023-0343)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected product contains a function that encrypts messages which are then forwarded. A remote attacker on the local network can decrypt messages.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://claroty.com/team82/blog/akuvox-smart-intercom-vulnerabilities-leave-privacy-ajar
• https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-against-smart-intercoms