WIXLIB

Security Vulnerability HandlingFor AudioCodes Session Border Controllers,One Voice Operations Center (OVOC),AudioCodes Routing Manager (ARM) andIP PhonesThis document provides security information for AudioCodes family of Mediant SessionBorder Controllers (SBC), One Voice Operations Center (OVOC) and IP Phones. Thisinformation is based on common industry practices, as well as on experience gained externallythrough certifications such as DoD FIPS, and through AudioCodes' continuous experience withinternal vulnerability testing.This information is kept up to date on a continual basis, adhering to industry trends andexposures to new vulnerabilities.Security Approach for Main Critical Functional AreasSBCFunctional AreaWeb Management via HTTPSSecurity Measures in UseThe SBC uses a proprietary Web server that is specificallyhardened to provide tailored functionality. In other words,only minimum functionality required for the managementof the SBC is kept active, while other features found inpublic open-source Web servers are removed. This reducesthe attack surface of the SBC's Web server, eliminatingmany common security threats.The protection capability of the SBC's Web server is testedusing an extensive third-party, test suite that covers genericvulnerabilities as well as potential attack insertion points.Transport Layer Security (TLS)and Secure Sockets Layer (SSL)Using OpenSSL as the TLS/SSL toolkit and cryptographylibrary. The SBC uses the Long-term Support (LTS) stream ofOpenSSL 1.1.1.Document #: LTRT-91108AudioCodes Inc.200 Cottontail Lane, Suite A101E, SomersetNJ 08873Tel: 1-732-469-0880 Fax: 1-732-469-2298International Headquarters1 Hayarden Street, Airport City, Lod 7019900P.O. Box 255, Ben Gurion Airport, Israel, 70100Tel: 972-3-976-4000 Fax: 972-3-976-4040Date: April, fices-worldwideWebsitehttps://www.audiocodes.com

Functional AreaCLI (using SSH)Security Measures in UseAccess to the SBC through the Command Line Interface (CLI)can be configured to employ the following authenticationmethods: SSH key pairsUsername-password combinationDisable (no CLI access)SNMPSecure communication using SNMPv3.Operating System (OS)The SBC's OS is a highly-customized version of CentOS 8stream (SBC Version 7.4 and later). The OS is “vertically”integrated with the application(i.e., it is installed and updated as part of the applicationinstall or update).No third-party applications run concurrently with the SBCsoftware (access to the OS is completely blocked).Only the necessary bare-minimum set of CentOS packagesare installed. All standard services (including SSH, Telnet,NTP etc.) are replaced with home-grown implementation.Access to the Linux terminal is blocked (both from consoleand SSH/Telnet); instead, the application-level CLI ispresented.OVOCFunctional AreaSecurity Measures in UseWeb Management via HTTPSOVOC uses Apache Web server. The protection capability ofthe OVOC Web server is tested using an extensive thirdparty test suite that covers generic vulnerabilities as well aspotential attack insertion points.Transport Layer Security (TLS)and Secure Sockets Layer (SSL)Using OpenSSL as the TLS/SSL toolkit and cryptographylibrary. The OVOC uses the Long-term Support (LTS) streamof OpenSSL 1.0.2.HTTPSSecure communication using HTTPS.SNMPSecure communication using SNMPv3.Operating System (OS)The OVOC OS is a customized version of CentOS 7. The OS isintegrated with the application, i.e., it is installed andupdated as part of the application installation or update.Document #: LTRT-91108AudioCodes Inc.200 Cottontail Lane, Suite A101E, SomersetNJ 08873Tel: 1-732-469-0880 Fax: 1-732-469-2298International Headquarters1 Hayarden Street, Airport City, Lod 7019900P.O. Box 255, Ben Gurion Airport, Israel, 70100Tel: 972-3-976-4000 Fax: 972-3-976-4040Date: April, fices-worldwideWebsitehttps://www.audiocodes.com

Functional AreaSecurity Measures in UseNo third-party applications run concurrently with the OVOCsoftware.Only the necessary bare-minimum set of CentOS packagesare installed.ARMFunctional AreaSecurity Measures in UseWeb Management via HTTPSARM uses Apache Web server. The protection capability ofthe ARM Web server is tested using an extensive thirdparty, test suite that covers generic vulnerabilities as well aspotential attack insertion points.Transport Layer Security (TLS)and Secure Sockets Layer (SSL)OpenSSL is used as the TLS/SSL toolkit and cryptographylibrary. The ARM uses OpenSSL 1.1.1.g FIPS.Java’s Secure Socket Extension (JSSE) is used for Javarelated TLS / SSL Communication. The ARM uses JSSEimplementation of JDK 11.HTTPSSecure communication using HTTPS.CLI (using SSH)Access to the ARM through the Command Line Interface(CLI) using Username-password combination; root login isnot allowed by default.Operating System (OS)The ARM OS is a customized version of CentOS 8. The OS isintegrated with the application (i.e., it is installed andupdated as part of the application install or update).No third-party applications run concurrently with the ARMsoftware.Only the necessary bare-minimum set of CentOS packagesare installed.Document #: LTRT-91108AudioCodes Inc.200 Cottontail Lane, Suite A101E, SomersetNJ 08873Tel: 1-732-469-0880 Fax: 1-732-469-2298International Headquarters1 Hayarden Street, Airport City, Lod 7019900P.O. Box 255, Ben Gurion Airport, Israel, 70100Tel: 972-3-976-4000 Fax: 972-3-976-4040Date: April, fices-worldwideWebsitehttps://www.audiocodes.com

Native Teams IP PhonesFunctional AreaSecurity Measures in UseWeb Management via HTTPSThe Native Teams IP phones do not use an embedded Webserver for phone configuration. All the Web services arecustomized to connect to Office 365 services and toAudioCodes managed services such as the OVOC.Sign in to Microsoft TeamsThe Native Teams phone is signed in to Teams either withuser credentials or using a special mode in which the userdoes not type the credentials but rather obtains a codefrom the phone (displayed on the screen) which is thenused to sign in via the PC. In addition, IT can leverage MFAto further improve the security of the sign-in process.Management from DeviceManagerThe IP phone supports management and provisioning byAudioCodes’ Device Manager via HTTPS protocol.The phone validates the identity of the Device Managerusing a known root CA.Transport Layer Security (TLS)BoringSSL is used to implement cryptography and TLS.Android Debug Bridge (ADB)AudioCodes disables the Android Debug Bridge (ADB)application and keeps the Teams app running in the front allthe time, which means there is no way to install other Appsfrom unknown sources and sideloading.CLI (using SSH)The Native Teams phone leverages SSH as a debugginginterface. AudioCodes recommends that customers disableSSH on the device. This can be done via AudioCodes’ DeviceManager (OVOC). SSH must be disabled by default andenabled only per specific case for debugging purposes only.HTTPSThe phone uses HTTPS protocol for accessing MicrosoftTeams admin center. This is enabled only after a successfulsecured sign-in process.Operating System (OS)The phone’s OS is a customized version of Android (7.0 or9.0 depending on the phone model) running in AndroidKiosk mode. Only specific Microsoft apps and AudioCodessigned apps that were certified and approved in thecertification process, can run under Kiosk mode.Document #: LTRT-91108AudioCodes Inc.200 Cottontail Lane, Suite A101E, SomersetNJ 08873Tel: 1-732-469-0880 Fax: 1-732-469-2298International Headquarters1 Hayarden Street, Airport City, Lod 7019900P.O. Box 255, Ben Gurion Airport, Israel, 70100Tel: 972-3-976-4000 Fax: 972-3-976-4040Date: April, fices-worldwideWebsitehttps://www.audiocodes.com

Functional AreaSecurity Measures in UseApp SigningAndroid requires that all apps are digitally-signed with adeveloper key before installation; currently, the deviceverifies that the apps are signed by Microsoft.Google play servicesGoggle Play services were removed from the devicesoftware – no access is allowed to any Google store or Playservices.Device file systemThe device file system is encrypted.Android Security UpdatesAudioCodes regularly adopts and integrates Android securityupdates.Teams Compatible / Generic SIP IP PhonesFunctional AreaSecurity Measures in UseWeb Management via HTTPSIP phones optionally use an embedded proprietary Webserver for phone configuration.For phone security hardening, it’s recommended to disablethe phone’s Web server via configuration, or to limit it to aspecific and preconfigured access list.Management from DeviceManagerThe IP phone supports management and provisioning by theDevice Manager via HTTPS protocol.The management interface can be restricted to use HTTPSonly and limited to a specific access list.Transport Layer Security (TLS)and Secure Sockets Layer (SSL)OpenSSL is used as the TLS/SSL toolkit and cryptographylibrary. The phones use the Long-Term Support (LTS) streamof OpenSSL 1.0.2.CLI (using SSH)Access to the phone through the Command Line Interface(CLI) can be configured to employ the followingauthentication methods:SSH key pairsUsername-password combinationDisable (no CLI access)For security hardening, the Telnet management interfacecan be disabled and the CLI interface can be limited to aspecific access list. Document #: LTRT-91108AudioCodes Inc.200 Cottontail Lane, Suite A101E, SomersetNJ 08873Tel: 1-732-469-0880 Fax: 1-732-469-2298International Headquarters1 Hayarden Street, Airport City, Lod 7019900P.O. Box 255, Ben Gurion Airport, Israel, 70100Tel: 972-3-976-4000 Fax: 972-3-976-4040Date: April, fices-worldwideWebsitehttps://www.audiocodes.com

Functional AreaHTTPSSecurity Measures in UseThe phone uses HTTPS protocol for provisioning,management and for accessing Web services.HTTPS traffic uses TLS 1.2 transport.For TLS 1.2 connections, it’s recommended to use one ofthe following advanced cipher suites:TLS ECDHE RSA WITH AES 256 GCM SHA384 (0xc030)TLS ECDHE ECDSA WITH AES 256 GCM SHA384 (0xc02c)TLS ECDHE RSA WITH AES 256 CBC SHA384 (0xc028)TLS ECDHE ECDSA WITH AES 256 CBC SHA384 (0xc024)SIPSIP Signaling protocol is used by the phone to establishvoice sessions.All SIP traffic uses TLS 1.2 transport.Operating System (OS)The phone’s OS is a highly-customized version of EmbeddedLinux.Only the necessary, bare-minimum set of Linux componentsand utilities are enabled.Proactive Vulnerabilities TrackingAudioCodes actively searches for potential vulnerabilities on an on-going basis. It does this byemploying these methods:Continuous Open-Source CVE Threat Reports AnalysisCommon Vulnerabilities and Exposures (CVE) reports for open-source components (forexample, OpenSSL, CentOS) are tracked and analyzed by AudioCodes on an ongoing basis.New reported CVEs are tracked and analyzed by R&D to determine the needed response on acase-by-case basis.AudioCodes Security Quality AssuranceAudioCodes Quality Assurance team routinely tests the SBC with various security testingequipment such as: Symantec Nessus, IXIA, PROTOS, Spectra 2, ISIC, SipP, Burp SuiteProfessional.AudioCodes One Voice Operation Center (OVOC), which includes the EMS and SEMapplications, is regularly scanned using security scanning tools. These tools include Nessus and Burp Suite Professional.The above tests are performed as part of the AudioCodes software release process.Document #: LTRT-91108AudioCodes Inc.200 Cottontail Lane, Suite A101E, SomersetNJ 08873Tel: 1-732-469-0880 Fax: 1-732-469-2298International Headquarters1 Hayarden Street, Airport City, Lod 7019900P.O. Box 255, Ben Gurion Airport, Israel, 70100Tel: 972-3-976-4000 Fax: 972-3-976-4040Date: April, fices-worldwideWebsitehttps://www.audiocodes.com