CVE-2019-9231 in Mediant 500L-MSBR
Summary
by MITRE
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions before 7.20A.202.307. A Cross-Site Request Forgery (CSRF) vulnerability in the management web interface allows remote attackers to execute malicious and unauthorized actions, because CSRFProtection=1 is not a default and is not documented.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/01/2023
The AudioCodes Mediant series devices represent critical telecommunications infrastructure components widely deployed in enterprise and carrier networks for voice and video communication services. These devices operate with web-based management interfaces that administrators use to configure and monitor network operations. The vulnerability exists within the web interface implementation of specific models including the 500L-MSBR, 500-MBSR, M800B-MSBR, and 800C-MSBR units. Firmware versions prior to 7.20A.202.307 contain a fundamental security flaw that undermines the integrity of administrative operations through a cross-site request forgery vulnerability. This issue stems from the absence of default CSRF protection mechanisms, creating a pathway for malicious actors to manipulate administrative functions without proper authorization.
The technical flaw manifests as a missing or improperly configured CSRF token validation mechanism within the web interface forms and API endpoints. The vulnerability is classified as CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications. When an authenticated administrator performs actions through the web interface, the system should validate that requests originate from legitimate administrative sessions rather than from malicious third-party websites or applications. However, the affected devices fail to implement this validation by default, allowing attackers to construct malicious web pages or exploit existing vulnerabilities in web browsers to trigger administrative actions on behalf of authenticated users. The absence of CSRFProtection=1 as a default configuration means that even if administrators implement security measures, the underlying system architecture remains vulnerable.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential complete system compromise and network disruption. Remote attackers can leverage this vulnerability to perform critical administrative functions such as changing network configurations, modifying user accounts, altering security settings, or even resetting device configurations. This could lead to service outages, unauthorized network access, data interception, or complete loss of device control. The vulnerability particularly affects environments where these devices are directly exposed to untrusted network segments or where administrators access the management interfaces from potentially compromised endpoints. Network administrators who rely on these devices for critical communication infrastructure face significant risk of unauthorized modifications that could compromise entire network operations.
Organizations should implement immediate mitigations including updating firmware to versions 7.20A.202.307 or later where CSRF protection is properly enabled by default. Network segmentation should be implemented to isolate management interfaces from untrusted networks, and administrators should verify that CSRF protection is enabled through configuration audits. The ATT&CK framework categorizes this vulnerability under T1078 Valid Accounts and T1190 Exploitation of Remote Services, highlighting the need for both account security and service hardening. Additionally, implementing network monitoring to detect unusual administrative activities and conducting regular security assessments of management interfaces will help identify potential exploitation attempts. Organizations should also consider disabling web management interfaces when not actively required and instead rely on secure protocols such as SSH or HTTPS with strong authentication mechanisms for administrative access.