Vendor of the product: Sangoma Technologies Corporation

Affected products:

Product: Sangoma FreePBX Linux (ISO images SNG7-PBX16-64bit)

Versions: 2105,2109,2112,2201,2202,2203

Product: Sangoma FreePBX Linux (ISO images SNG7-(F)PBX-64bit)

Versions: 1805,1904,1910,2002,2008,2011,2104,2203,2302

Attack Type: Remote

Discovered: 01/02/2023

Reported: 28/02/2023

Disclosed: 10/04/2023

Affected Components: Asterisk REST Interface (ARI)

CVE assigned: CVE-2023-26567

CVSS Score: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)

Vulnerability Description: Sangoma FreePBX Linux 7 versions from 1805 to 2302, during installation from the official ISO images, add in their Asterisk list of global variables the AMPDBUSER, AMPDBPASS, AMPMGRUSER, AMPMGRPASS variables which expose cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface.

Attack Vector: To exploit the vulnerability, attackers must connect to either port 8088/tcp (HTTP/WS) or 8089/tcp (HTTPS/WSS), authenticate with the ARI service and issue a request to the specific API endpoint, as follows: /ari/asterisk/variable?variable=AMPDBPASS

Impact: If the Asterisk Database (MariaDB/MySQL) and/or Asterisk Manager Interface has been configured by the administrator to accept remote connections, attackers can issue Asterisk commands, read events, make configuration changes, extract useful information (e.g. extension passwords, SIP trunk information), download files from the filesystem and/or upload files to it (e.g. webshell).

Recommended Post