CVE-2023-22957 — HIGH (7.5)

Q: How severe is CVE-2023-22957?

CVE-2023-22957 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-22957?

Check the references section above for vendor advisories and patch information. Affected products include: Audiocodes C470Hd Firmware, Audiocodes C470Hd, Audiocodes C455Hd Firmware, Audiocodes C455Hd, Audiocodes C435Hd Firmware.

Vulnerability Description

An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is able to decrypt encrypted values and retrieve sensitive information, e.g., the device root password.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Audiocodes	C470Hd Firmware	<= 3.4.4.1000
Audiocodes	C470Hd	-
Audiocodes	C455Hd Firmware	<= 3.4.4.1000
Audiocodes	C455Hd	-
Audiocodes	C435Hd Firmware	<= 3.4.4.1000
Audiocodes	C435Hd	-
Audiocodes	445Hd Firmware	<= 3.4.4.1000
Audiocodes	445Hd	-
Audiocodes	405Hd Firmware	<= 3.4.4.1000
Audiocodes	405Hd	-
Audiocodes	C450Hd Firmware	<= 3.4.4.1000
Audiocodes	C450Hd	-

Related Weaknesses (CWE)

CWE-798

References

http://packetstormsecurity.com/files/174215/AudioCodes-VoIP-Phones-Hardcoded-KeyExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2023/Aug/15ExploitMailing ListThird Party Advisory
https://syss.deNot Applicable
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-052.tExploitVendor Advisory
http://packetstormsecurity.com/files/174215/AudioCodes-VoIP-Phones-Hardcoded-KeyExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2023/Aug/15ExploitMailing ListThird Party Advisory
https://syss.deNot Applicable
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-052.tExploitVendor Advisory

FAQ

What is CVE-2023-22957?

CVE-2023-22957 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is ...

How severe is CVE-2023-22957?

CVE-2023-22957 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22957?

Check the references section above for vendor advisories and patch information. Affected products include: Audiocodes C470Hd Firmware, Audiocodes C470Hd, Audiocodes C455Hd Firmware, Audiocodes C455Hd, Audiocodes C435Hd Firmware.