Vulnerabilities Discovered and Subsequent Mitigations in One Voice Operations Center (OVOC) Server
This Product Notice announces possible security vulnerabilities that were recently (privately) discovered and reported to AudioCodes regarding the OVOC server. These vulnerabilities and subsequent mitigations are described in detail below.
Effective Date
Immediate
Vulnerability
Exposure of backup files in the /nbif/ directory. Some of the files contain sensitive information, including encrypted usernames and passwords. Access to the directory is username (nbif) / password protected.
Hardcoded cryptographic keys employed by OVOC for all OVOC installations. Once an attacker obtains these keys, they can be used to decrypt all encrypted secrets (in all OVOC installations).
Directory traversal vulnerability in OVOC's Device Manager module can be exploited by an attacker to gain access to the underlying host's operating system files.
Insecure file upload through OVOC's Device Manager module can be exploited by an attacker to achieve remote code execution (RCE).
Mitigation
This finding can be mitigated by changing the default password of the nbif user. For detailed instructions, please refer to the OVOC Security Guidelines.
This finding can be mitigated by changing the default encryption key per OVOC installation. For detailed instructions, please refer to the OVOC Security Guidelines.
This finding has been fixed in OVOC Version 8.2.1000. This software is available for download from AudioCodes Services Portal (registered customers only).
This finding has been fixed in OVOC Version 8.2.1000. This software is available for download from AudioCodes Services Portal (registered customers only).
