Hash: SHA512  
Advisory ID: SYSS-2022-055  
Product: AudioCodes VoIP Phones  
Manufacturer: AudioCodes Ltd.  
Affected Version(s): Firmware Versions >=  
Tested Version(s): Firmware Version  
Vulnerability Type: Missing Immutable Root of Trust in Hardware (CWE-1326)  
Risk Level: Medium  
Solution Status: Open  
Manufacturer Notification: 2022-11-14  
Solution Date: N.A.  
Public Disclosure: 2023-08-10  
CVE Reference: CVE-2023-22955  
Authors of Advisory: Matthias Deeg, SySS GmbH  
Moritz Abrell, SySS GmbH  
AudioCodes VoIP phones are modern desk phones which are used for the  
operation in enterprise environments.  
The manufacturer describes the product as follows (see [1]):  
"The AudioCodes 400HD series of IP phones is a range of easy-to-use,  
feature-rich desktop devices for the service provider hosted services,  
enterprise IP telephony and contact center markets. Based on the same  
advanced, field-proven underlying technology as our other VoIP products,  
AudioCodes high quality IP phones enable systems integrators and end  
customers to build end-to-end VoIP solutions."  
Due to insufficient firmware validation, an attacker can store  
malicious firmware on AudioCodes IP phones.  
Vulnerability Details:  
By analyzing the firmware image and update mechanism of AudioCodes IP  
phones, it was identified that parsing and verification of the firmware  
image is done by the ELF executable "flasher" which is executed from  
the script "" located at the path  
When analyzing the software tool "flasher", SySS found out that the  
validation of firmware images only consists of simple checksum checks for  
different firmware components.  
Thus, by knowing how to calculate and where to store the required checksums  
for the "flasher" tool, an attacker is able to store malicious firmware on  
AudioCodes IP phones.  
Proof of Concept (PoC):  
An AudioCodes IP phone's firmware image file contains an image header  
followed by different sections, e.g.:  
1. Firmware image header  
2. bootloader.img  
3. rootfs.ext4  
4. phone.img  
6. flasher  
7. release  
8. end.section  
Each section starts with the 4 magic bytes "0xBB 0xBB 0xBB 0xBB"  
followed by a 4-byte section header size field ("0x60 0x00 0x00 x00")  
and other metadata like length fields and a checksum at the offset  
0x50. This checksum is calculated by adding up all bytes of the section  
data starting at the section offset 0x60.  
As a proof of concept, a manipulated firmware image file was created in  
which an additional user with root privileges was added in the  
"rootfs.ext4" section. After recalculating the checksum and updating  
the section header with its checksum, the manipulated firmware image  
could be successfully uploaded and installed on an AudioCodes IP phone.  
To automate this task, a simple Python script has been developed to  
deal with AudioCodes IP phone firmware images.  
The following output exemplarily shows how a modified firmware image  
for the AudioCodes IP phone C450HD was updated with correct checksums:  
#> python3 -i AudioCodes_UCC450HD_3.4.6.604.1.img -u  
AudioCodes Firmware Tool v0.3 by Matthias Deeg - SySS GmbH (c) 2022  
- ---  
Image infos  
Hardware: C450HD  
Software: UC_3.4.6.604.1  
Version: 25 (0x19)  
Number of sections: 4  
Header length: 112 (0x70)  
Checksum: 0x00000877  
Calculated checksum: 0x00000877  
Attribute: 7 (0x00000007)  
Date: 2021-12-13_09:07:38  
CE5: 0  
- ---  
Section name: bootloader.img  
Section checksum: 0x0247D1A3  
Calculated checksum: 0x0247D1A3  
Data size (8-byte aligned): 423992 (0x67838)  
Data size : 423992 (0x67838)  
- ---  
Section name: rootfs.ext4  
Section checksum: 0x78EF3E3D  
Calculated checksum: 0x78EF3E6D  
Data size (8-byte aligned): 134238208 (0x8005000)  
Data size : 134238208 (0x8005000)  
- ---  
[*] Saved updated firmware image to  
Not yet fixed.  
Disclosure Timeline:  
2022-11-10: Vulnerability discovered  
2022-11-14: Vulnerability reported to manufacturer  
2022-12-12: Vulnerability confirmed by AudioCodes Ltd.  
2023-01-19: AudioCodes Ltd. informs that a solution is planned in 2023  
2023-07-13: AudioCodes Ltd. sets solution date to the end of 2023  
2023-08-10: Public disclosure at BlackHat USA[4]  
2023-08-11: Public disclosure at[5]  
[1] AudioCodes IP Phones Product Website  
[2] SySS Security Advisory SYSS-2022-055  
[3] SySS Responsible Disclosure Policy  
[4] BlackHat USA Briefings Session  
[5] Detailed Blog Post  
This security vulnerability was found by Matthias Deeg and Moritz Abrell  
of SySS GmbH.  
Public Key:  
Key Fingerprint: D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB  
Public Key:  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
Creative Commons - Attribution (by) - Version 3.0