Vulnerability Note VU#754056
Fonality contains a hard-coded password and embedded SSL private key
Fonality (previously trixbox Pro) version 12.6 and later uses a hard-coded password, and the accompanying HUDweb plugin embeds a private SSL key.
CWE-259: Use of Hard-coded Password - CVE-2016-2362
According to the reporter, FTP is used to sync phone configurations for users, by use of a hard-coded username and password. The default SSH server configuration allows the FTP user to also log in via SSH and obtain a shell as the 'nobody' user.
A remote attacker with knowledge of the password may be able to log into the server as 'nobody' and execute commands as root. An attacker with knowledge of the private key may be able to conduct impersonation, man-in-the-middle, or passive decryption attacks.
Apply an update
Restrict Network Access
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Fonality||Affected||02 Feb 2016||18 Apr 2016|
CVSS Metrics (Learn More)
Thanks to Charlie Wolf for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-2362 CVE-2016-2363 CVE-2016-2364
- Date Public: 01 Jun 2016
- Date First Published: 01 Jun 2016
- Date Last Updated: 21 Dec 2016
- Document Revision: 58
If you have feedback, comments, or additional information about this vulnerability, please send us email.