10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
74.4%
Fonality (previously trixbox Pro) version 12.6 and later uses a hard-coded password, and the accompanying HUDweb plugin embeds a private SSL key.
CWE-259**: Use of Hard-coded Password -**CVE-2016-2362
According to the reporter, FTP is used to sync phone configurations for users, by use of a hard-coded username and password. The default SSH server configuration allows the FTP user to also log in via SSH and obtain a shell as the ‘nobody’ user.
CWE-266**: Incorrect Privilege Assignment -**CVE-2016-2363
According to the reporter, the script /var/www/rpc/surun
has incorrect permissions, allowing the user ‘nobody’ to run many commands as root.
CWE-321**: Use of Hard-coded Cryptographic Key -**CVE-2016-2364
According to the reporter, the HUDweb plugin for Google Chrome contains a Thawte-signed SSL certificate and private key. This key is shared across all installations.
The CVSS score below is based on CVE-2016-2363.
A remote attacker with knowledge of the password may be able to log into the server as ‘nobody’ and execute commands as root. An attacker with knowledge of the private key may be able to conduct impersonation, man-in-the-middle, or passive decryption attacks.
Apply an update
A patch addressing CVE-2016-2362 and CVE-2016-2363 in Fonality version 12.6 and above has been released. This patch is available via the automatic updates feature. Users of versions prior to version 12.6 are encouraged to upgrade to 12.6 or later as soon as possible.
CVE-2016-2364 was partially addressed in a Webphone plugin update released on 2016 May 5, but still makes use of hard-coded cryptographic material and only notifies the user.
On 20 December 2016, HUDweb 1.4.4 was released to address CVE-2016-2364. Users will be automatically upgraded when visiting HUDweb.fonality.com. Users are encouraged to update their plugin to latest available version of HUDweb, instead of Webphone.
Affected users should also consider the following workarounds:
Restrict Network Access
As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product’s manual for more information.
754056
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 02, 2016 Updated: April 18, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 9 | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Temporal | 7.7 | E:POC/RL:U/RC:UR |
Environmental | 5.8 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Charlie Wolf for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2016-2362, CVE-2016-2363, CVE-2016-2364 |
---|---|
Date Public: | 2016-06-01 Date First Published: |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
74.4%