Headline
CVE-2023-26567: Sangoma FreePBX Linux Insecure Permissions
Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call.
We have an active role in the security research field as we continuously search for new vulnerabilities. Our vulnerability disclosure policy follows the principles of responsible disclosure so as to allow software vendors to develop a patch to fix the vulnerable piece of code before we publish any details on the Internet.
Sangoma FreePBX Linux Insecure Permissions
Vendor of the product: Sangoma Technologies Corporation
Affected products:
Product: Sangoma FreePBX Linux (ISO images SNG7-PBX16-64bit)
Versions: 2105,2109,2112,2201,2202,2203
Product: Sangoma FreePBX Linux (ISO images SNG7-(F)PBX-64bit)
Versions: 1805,1904,1910,2002,2008,2011,2104,2203,2302
Attack Type: Remote
Discovered: 01/02/2023
Reported: 28/02/2023
Disclosed: 10/04/2023
Affected Components: Asterisk REST Interface (ARI)
CVE assigned: CVE-2023-26567
CVSS Score: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)
Vulnerability Description: Sangoma FreePBX Linux 7 versions from 1805 to 2302, during installation from the official ISO images, add in their Asterisk list of global variables the AMPDBUSER, AMPDBPASS, AMPMGRUSER, AMPMGRPASS variables which expose cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface.
Attack Vector: To exploit the vulnerability, attackers must connect to either port 8088/tcp (HTTP/WS) or 8089/tcp (HTTPS/WSS), authenticate with the ARI service and issue a request to the specific API endpoint, as follows: /ari/asterisk/variable?variable=AMPDBPASS
Impact: If the Asterisk Database (MariaDB/MySQL) and/or Asterisk Manager Interface has been configured by the administrator to accept remote connections, attackers can issue Asterisk commands, read events, make configuration changes, extract useful information (e.g. extension passwords, SIP trunk information), download files from the filesystem and/or upload files to it (e.g. webshell).
Recommended Post
LFI Vulnerability in 1024cms Admin Control Panel v1.1.0 Beta
07 April 2009
XSS Vulnerability in 1024cms Admin Control Panel v1.1.0 Beta (Master-cPanel Package)
07 April 2009
Quick Link