CVE-2019-9229 in Mediant 500L-MSBR
Summary
by MITRE
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can authenticate with the default 1234 password that cannot be changed, and can execute malicious and unauthorized actions.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/05/2023
The vulnerability identified as CVE-2019-9229 affects AudioCodes Mediant series communication devices including the 500L-MSBR, 500-MBSR, M800B-MSBR, and 800C-MSBR models operating with firmware versions F7.20A through F7.20A.251. This represents a critical security flaw that exposes internal system interfaces to unauthorized local network access, creating a significant attack surface for malicious actors within the same network segment. The affected devices are commonly deployed in enterprise communication environments where they serve as media gateways and session border controllers, making them attractive targets for attackers seeking to compromise network infrastructure.
The technical flaw manifests through an improperly secured internal interface that listens on the link-local address 169.254.254.253, a standard address range used for automatic private IP addressing in local network segments. This interface provides access to multiple quagga Virtual Terminal Protocol (VTY) sessions, which are typically used for remote device management and configuration. The vulnerability stems from the device's default configuration where the quagga VTY services remain accessible without proper authentication controls, and more critically, the system employs a hardcoded default password of 1234 that cannot be modified or changed by administrators. This hardcoded credential represents a fundamental security weakness that violates security best practices and industry standards such as those outlined in CWE-259 and CWE-798.
The operational impact of this vulnerability is severe and multifaceted, as it allows local network attackers to gain unauthorized administrative access to the affected devices. Once authenticated, attackers can execute arbitrary commands and perform malicious actions including but not limited to modifying device configurations, accessing sensitive communication data, redirecting traffic, or establishing persistent backdoors within the network infrastructure. The implications extend beyond simple unauthorized access, as these devices often control critical communication pathways and may be integrated with other network systems, potentially enabling lateral movement attacks or more sophisticated compromise scenarios. The vulnerability particularly affects organizations that do not properly segment their networks or implement adequate monitoring of link-local address usage, as it requires only local network access to exploit.
Organizations should immediately implement network segmentation strategies to isolate these devices from general network traffic and restrict access to the specific link-local address range where the vulnerability exists. The most critical mitigation involves disabling or removing the unnecessary internal interface that exposes the quagga VTY services, or implementing strict access controls that limit which devices can communicate with the vulnerable address. Additionally, administrators should consider implementing network monitoring solutions that can detect unusual traffic patterns on link-local addresses and alert on potential exploitation attempts. The vulnerability aligns with ATT&CK techniques related to credential access and privilege escalation, specifically targeting the use of default credentials and service account exploitation. Device vendors should be contacted to determine if firmware updates are available, and organizations should establish procedures for regularly auditing device configurations and ensuring that default credentials are changed or removed from all network infrastructure devices. This vulnerability demonstrates the critical importance of proper network design and the principle of least privilege in security implementations, as it allows attackers to bypass traditional network security controls through a simple default password mechanism that cannot be altered.