1. Vulnerability Overview
Akuvox prioritizes product security and user privacy protection. Recently, security researchers reported multiple vulnerabilities in the E11 series products, affecting encryption mechanisms, authentication controls, sensitive file protection, and communication protocol security. Akuvox has released remediation patches. Please refer to this advisory and upgrade systems promptly.
2. Vulnerability Details
The vulnerabilities and their remediation measures are listed below:
| CVE ID |
Vulnerability Category & Description |
Remediation Measure |
| CVE-2023-0343 |
Static encryption parameter vulnerability: Message forwarding uses static IV vector and key, potentially allowing decryption of communications. |
Upgrade to dynamic IV AES256 encryption scheme. |
| CVE-2023-0355 |
Hard-coded encryption key: Device uses fixed hard-coded key to protect sensitive information. |
Switch to dynamically reading key from encrypted protected file. |
| CVE-2023-0354 |
Unauthorized access to web service : Some web interfaces lack authentication logic, risking sensitive information leakage. |
Enforce authentication on all risky operation URLs. |
| CVE-2023-0353 |
Weak encryption algorithm vulnerability: Passwords in config files use weak encryption and hard-coded key storage. |
Upgrade password storage algorithm and remove hard-coded decryption dependency. |
| CVE-2023-0352 |
CGI authentication defect: Some CGI scripts have inadequate permission controls. |
Enhance access control mechanisms in CGI scripts. |
| CVE-2023-0351 |
Unauthorized download of sensitive files: Sensitive data in specific directories can be accessed by unauthorized users. |
Strictly restrict download and access permissions for sensitive files. |
| CVE-2023-0350 |
Security risk in data transmission: Some device config info and sensitive data transmitted in plain text or weak encryption. |
Apply strong encryption to all sensitive data transmissions. |
| CVE-2023-0349 |
Insufficient firmware encryption strength: Firmware encryption uses known fixed parameters. |
Enhance firmware encryption logic and abandon known fixed parameters. |
| CVE-2023-0348 |
CGI operation risk: Unauthorized users may trigger system operations via specific CGI scripts. |
Strengthen legitimacy verification for CGI operation requests. |
| CVE-2023-0347 |
Missing SIP call controls: SIP server lacks strict access control logic. |
Implement terminal call access restrictions between different logical zones. |
| CVE-2023-0346 |
Asymmetric identification risk: Device IP and MAC association info reported unencrypted. |
Anonymize device identification info and enable HTTPS. |
| CVE-2023-0344 |
Missing communication encryption: Some cloud login interactions occur over unencrypted HTTP. |
Fully switch to encrypted HTTPS transport protocol. |
| CVE-2023-0345 |
Default service access risk: SSH service enabled by default with unchangeable preset credentials. |
Upgrade firmware to disable unnecessary services and improve default credential management. |
3. Affected Versions
- Product Name:E11
- Affected Versions: V111.30.2.19 and earlier
4. Remediation and Recommendations
Firmware Upgrade
Akuvox strongly recommends all affected users upgrade firmware immediately:
Target Version:V111.30.2.22
Environment Hardening
Before completing the firmware upgrade, it’s recommended that administrators isolate devices in restricted network zones and use firewalls to block unnecessary external access to management ports.
5. Acknowledgments
Thanks to Vera Mens and Amir Preminger from Claroty Research for discovering these vulnerabilities, reporting them to CISA, and helping Akuvox continuously improve product security.
6. Contact Us
To report any security issues in Akuvox products, please contact:
Email: asrc@akuvox.com
Reference SNs: ASRC-202303-01 to ASRC-202303-13