CVE-2018-16220 in 405HD
Summary
by MITRE
Cross Site Scripting in different input fields (domain field and personal settings) in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an attacker (local or remote) to inject JavaScript into the web interface of the device by manipulating the phone book entries or manipulating the domain name sent to the device from the domain controller.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/07/2023
This vulnerability represents a critical cross site scripting flaw in the AudioCodes 405HD VoIP phone firmware version 2.2.12, where insufficient input validation allows attackers to inject malicious JavaScript code into the device's web interface. The vulnerability manifests in two primary input fields: the domain field and personal settings sections, creating multiple attack vectors for exploitation. The flaw stems from the device's failure to properly sanitize user-supplied data before rendering it within the web interface, enabling persistent XSS attacks through manipulation of phone book entries or domain name parameters sent from the domain controller.
The technical implementation of this vulnerability follows CWE-79 patterns for cross site scripting, specifically targeting input fields that are not adequately filtered or escaped before being rendered in the web context. Attackers can leverage this weakness to execute arbitrary JavaScript code within the context of the victim's browser session, potentially gaining full control over the device's web interface. The local and remote attack vectors significantly increase the threat surface, as both internal network users and external attackers can exploit this vulnerability. The domain field manipulation occurs when the device receives domain information from the controller, while personal settings modifications allow attackers to inject malicious code through phone book entries that are displayed in the web interface.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal administrative credentials, modify device configurations, or redirect users to malicious websites. The persistent nature of the XSS vulnerability means that once injected, the malicious code will execute every time the affected page is loaded, potentially allowing attackers to maintain long-term access to the device. This vulnerability directly aligns with ATT&CK technique T1059.007 for command and scripting interpreter, specifically web shell execution, and T1566 for credential access through social engineering. The attack can be particularly damaging in enterprise VoIP environments where these devices serve as critical communication infrastructure.
Mitigation strategies should include immediate firmware updates to address the XSS vulnerability, implementation of input validation and output encoding mechanisms, and network segmentation to limit access to VoIP devices. Organizations should also deploy web application firewalls and regularly monitor web interface traffic for suspicious patterns. The vulnerability highlights the importance of secure coding practices and input sanitization in embedded systems, particularly in network infrastructure devices. Regular security assessments and vulnerability scanning should be implemented to identify similar weaknesses in other VoIP equipment and network devices within the organization's infrastructure.