CVE-2023-22955
Severity CVSS v4.0:
Pending analysis
Type:
CWE-345
Insufficient Verification of Data Authenticity
Publication date:
11/08/2023
Last modified:
17/04/2025
Description
An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. The validation of firmware images only consists of simple checksum checks for different firmware components. Thus, by knowing how to calculate and where to store the required checksums for the flasher tool, an attacker is able to store malicious firmware.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:audiocodes:445hd_firmware:*:*:*:*:*:*:*:* | 3.4.4.1000 (including) | |
| cpe:2.3:h:audiocodes:445hd:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:audiocodes:405hd_firmware:*:*:*:*:*:*:*:* | 3.4.4.1000 (including) | |
| cpe:2.3:h:audiocodes:405hd:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:audiocodes:c450hd_firmware:*:*:*:*:*:*:*:* | 3.4.4.1000 (including) | |
| cpe:2.3:h:audiocodes:c450hd:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/174214/AudioCodes-VoIP-Phones-Insufficient-Firmware-Validation.html
- http://seclists.org/fulldisclosure/2023/Aug/17
- https://syss.de
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt
- http://packetstormsecurity.com/files/174214/AudioCodes-VoIP-Phones-Insufficient-Firmware-Validation.html
- http://seclists.org/fulldisclosure/2023/Aug/17
- https://syss.de
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt