Fonality (previously trixbox Pro) version 12.6 and later uses a hard-coded password, and the accompanying HUDweb plugin embeds a private SSL key.
CWE-259: Use of Hard-coded Password - CVE-2016-2362
According to the reporter, FTP is used to sync phone configurations for users, by use of a hard-coded username and password. The default SSH server configuration allows the FTP user to also log in via SSH and obtain a shell as the 'nobody' user.
A remote attacker with knowledge of the password may be able to log into the server as 'nobody' and execute commands as root. An attacker with knowledge of the private key may be able to conduct impersonation, man-in-the-middle, or passive decryption attacks.
Apply an update
Restrict Network Access
Thanks to Charlie Wolf for reporting this vulnerability.
This document was written by Garret Wassermann.