Lucene search

K
attackerkbAttackerKBAKB:A03E3D28-8BB7-4679-B405-A2E6E0AA1BCF
HistoryApr 28, 2020 - 12:00 a.m.

CVE-2020-7351

2020-04-2800:00:00
attackerkb.com
5

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the “asterisk” user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through 2.8.0.4. Versions 1.0 and 1.1 are unaffected.

Recent assessments:

gwillcox-r7 at November 25, 2020 6:12pm UTC reported:

A command injection vulnerability in the network POST parameter of the /maint/modules/endpointcfg/endpoint_devicemap.php page on Fonality Trixbox Community Edition versions 1.2.0 through 2.8.0.4 allowed remote authenticated attackers to take complete control over the affected devices as the asterisk user, and then elevate to root by running sudo nmap --interactive followed by !sh from within nmap.

My personal opinion on this is that it is a very wide ranging vulnerability in terms of the number of versions affected. We are talking over 60% of the released versions of Fonality Trixbox Community Edition were affected by this vulnerability, although the main downside is that Fonality TrixBox Community Edition is no longer supported by its developers.

This creates an interesting question cause whilst telephony systems are known to run out of date and depreciated software (as is the case with many public service departments), I don’t know if this particular software would still be used in most departments or if they would have just moved on by this point. Particularly given that this software is the community edition I imagine most users would have moved on to other software by now, but we all know that, like Windows XP, some people will still cling to what they know is tried and true. That being said I would have to imagine that the numbers have diminished significantly in the time between the last release of Fonality TrixBox Community Edition and now.

Additionally the requirement for a user to be authenticated to exploit this vulnerability means that simply setting a strong password on affected devices will likely prevent them from being compromised by this vulnerability.

TLDR: An interesting vulnerability but seeing as the software is no longer supported and it does require authenticated access, its probably not something that should be at the top of your priority list unless you know you are running TrixBox Community Edition, in which case if you can’t upgrade it is recommended you ensure all devices have a strong password, as this will prevent users from easily being able to exploit this vulnerability.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

Related for AKB:A03E3D28-8BB7-4679-B405-A2E6E0AA1BCF