AudioCodes One Voice Operations Center Path Traversal Vulnerability Allowing Unauthenticated Sensitive Data Access

A path traversal vulnerability has been identified in AudioCodes One Voice Operations Center (OVOC) versions prior to 8.4.582. This vulnerability allows for the unauthorized reading of sensitive data. The issue arises in the PHP application at the web path '/ipp/admin/AudioCodes_files/ipp_params.php', where the 'name' GET parameter can be manipulated to access files with a '.csv' extension. Exploiting this vulnerability could lead to the exposure of sensitive information, such as encrypted passwords of assigned devices, including Session Border Controllers, which could be decrypted to gain administrative rights on those devices.

Impact

Successful exploitation of this vulnerability allows for the unauthorized access of sensitive data, including encrypted passwords of assigned devices, such as Session Border Controllers. With the hardcoded key mentioned in a related advisory, an attacker could decrypt this information and gain administrative rights on the devices.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/ipp/admin/AudioCodes_files/ipp_params.php' endpoint with a crafted 'name' parameter that includes path traversal sequences. This request can be made using a tool like curl. For example, to access the topology view, the 'name' parameter can be set to traverse the file system and retrieve the 'MGsTopologyList' file, which contains sensitive information such as encrypted passwords.

Remediation

Users are advised to update to AudioCodes One Voice Operations Center version 8.4.582.