Audiocodes a rendu disponible une nouvelle version logicielle majeure pour ces passerelles de types SBC et Media gateway.
Version: 7.40A.250.004
Date: 10 février 2022
Notice produit: https://www.audiocodes.com/media/a43pp4mi/0456-product-notice-major-release-7-40a-250-for-sbcs-and-gateways.pdf
Release notes: https://www.audiocodes.com/media/15543/sbc-gateway-series-release-notes-for-lr-versions-74.pdf
Principales nouvelles fonctionnalités:
- Digitally Signed Software Update Files (.cmp): Software update files (.cmp) for Mediant 90xx and Mediant Software (VE/CE/SE) are now digitally signed, preventing the installation of tampered or corrupted .cmp files.
- Floating and Flex Licensing for WebRTC and SIPRec Sessions: WebRTC and SIPRec session capacity can now be licensed through the Floating and Flex licensing models.
- SIPRec Recording Triggered by REST API: SIPRec can now be triggered through REST API to stop and start call recording. This easy-to-use REST API can be useful for Customers who, for example, don’t want the IVR that is played at the beginning of the call to be recorded.
- SDR Reporting using REST API: SBCs can now send SDRs to a remote REST server (in addition to the already supported Syslog and local storage methods).
- PII Masking in CDRs Sent to OVOC: SBCs can now also be configured to mask (hide) Personally Identifiable Information (PII) in CDRs that are sent to OVOC. This is especially important for GDPR compliance.
- Mediant 3100 Support for 64 T1/E1: The Mediant 3100 SBC and Media Gateway now supports up to 64 E1/T1 PSTN digitalized trunks, effectively doubling the maximum capacity.
Deux vulnérabilités d'escalade de privilèges ont récemment été signalées à AudioCodes. Ces vulnérabilités permettent à un utilisateur avec un rôle Administrateur privilégié d'accéder au système d'exploitation Linux.au Session Border Controller (SBC) / Media Gateway.
La description des vulnérabilités sont décrites ci-dessous:
- Secured Emergency Support Mechanism Vulnerability
- AudioCodes devices provide a Secured Emergency Support mechanism that allows AudioCodes support to debug them at the Linux OS level in case of a critical failure. This mechanism is essential to meet strict support SLA obligations. To obtain access to this mechanism, the customer has to provide AudioCodes’ support access to an account on the device with administrative privileges. After this first successful authenticated access into the device, the mechanism requires an additional device-specific password, which is obtained from AudioCodes support and verified by the device. The mechanism to generates this secondary password was compromised, allowing a malicious user with privileged administrative access to the device to generate and obtain such a password.
- Software Upgrade Mechanism Vulnerability
AudioCodes devices provide a Secured AudioCodes devices allow a user with security administrative privileges to upgrade the software of the device. This upgrade mechanism could be exploited by a malicious user, by loading a malicious file specifically crafted to gain user access to the device's underlying Linux OS.
Cette mises à jour logicielle sont disponibles pour corriger ces vulnérabilités pour les produits concernés.
Les produits concernés sont les suivants:
- Secured Emergency Support Mechanism Vulnerability
- Mediant VE/SE/CE
- Mediant 9000/9030/9080
- Mediant 4000
- Mediant 3100
- Mediant 2600
- Mediant 1000
- Mediant 800 SBC, Media Gateway and MSBR
- Mediant 500 SBC, Media Gateway and MSBR
- Mediant 500L SBC, Media Gateway and MSBR
- Mediant 500Li
- MediaPack 1288
- Software Upgrade Mechanism Vulnerability
- Mediant VE/SE/CE
- Mediant 9000
Notice produit: https://www.audiocodes.com/media/520luql2/0451-product-notice-sbc-and-media-gateway-software-fixes-for-privilege-escalation-vulnerabilities.pdf