CVE-2019-9228 in Mediant 500L-MSBR
Summary
by MITRE
** DISPUTED ** An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062. The (1) management SSH and (2) management TELNET features allow remote attackers to cause a denial of service (connection slot exhaustion) via 5 unauthenticated connection attempts, because the maximum number of unauthenticated clients that can be configured is 5. NOTE: the vendor's position is that this is a "design choice."
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/19/2024
The vulnerability CVE-2019-9228 affects AudioCodes Mediant series communication devices including the 500L-MSBR, 500-MBSR, M800B-MSBR, and 800C-MSBR models operating with firmware versions ranging from F7.20A through 7.20A.252.062. This issue represents a denial of service vulnerability that specifically targets the management interfaces of these network appliances. The vulnerability is categorized under CWE-400 as an unspecified vulnerability related to resource exhaustion, and it aligns with ATT&CK technique T1499.004 for network denial of service attacks. The affected devices expose both SSH and TELNET management protocols that are susceptible to this particular attack vector.
The technical flaw manifests through the limited configuration of unauthenticated client connections allowed on the management interfaces. The system is designed to permit only five concurrent unauthenticated connection attempts before rejecting additional connection requests, which creates a predictable and exploitable condition. Attackers can systematically establish these five connection attempts, causing the device to exhaust its available connection slots for unauthenticated users. This design limitation allows malicious actors to perform a simple but effective denial of service attack by repeatedly connecting and disconnecting from the management interfaces without providing valid authentication credentials. The vulnerability is particularly concerning because it requires minimal resources and technical expertise to execute, making it accessible to a wide range of threat actors.
The operational impact of this vulnerability extends beyond simple service disruption, as it can severely compromise network management capabilities and potentially affect the broader communication infrastructure. When the connection slots are exhausted, legitimate administrators cannot establish management sessions to configure or monitor the devices, leading to operational downtime and potential service degradation. The vulnerability affects critical network infrastructure components that are often deployed in mission-critical environments where availability is paramount. Organizations relying on these AudioCodes devices for voice and data communication services may experience significant disruption when attackers exploit this weakness, as the devices become effectively inaccessible for administrative tasks until the connection exhaustion condition is resolved through manual intervention or device reboot.
The vendor's position that this represents a "design choice" reflects a controversial stance that contradicts standard security best practices and industry expectations for network device security. This classification suggests that the limitation was intentionally implemented rather than being an accidental flaw, which raises questions about the security architecture and risk assessment processes employed by the vendor. Organizations should consider implementing additional network segmentation and access controls to mitigate the impact of this vulnerability, including deploying network access control lists to restrict access to management interfaces and implementing monitoring solutions to detect anomalous connection patterns. The vulnerability also underscores the importance of regularly updating firmware and maintaining awareness of vendor security positions, as some vendors may classify certain limitations as intentional design features rather than security flaws.