Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2020-7351

Disclosure Date: April 28, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the “asterisk” user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through 2.8.0.4. Versions 1.0 and 1.1 are unaffected.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

A command injection vulnerability in the network POST parameter of the /maint/modules/endpointcfg/endpoint_devicemap.php page on Fonality Trixbox Community Edition versions 1.2.0 through 2.8.0.4 allowed remote authenticated attackers to take complete control over the affected devices as the asterisk user, and then elevate to root by running sudo nmap --interactive followed by !sh from within nmap.

My personal opinion on this is that it is a very wide ranging vulnerability in terms of the number of versions affected. We are talking over 60% of the released versions of Fonality Trixbox Community Edition were affected by this vulnerability, although the main downside is that Fonality TrixBox Community Edition is no longer supported by its developers.

This creates an interesting question cause whilst telephony systems are known to run out of date and depreciated software (as is the case with many public service departments), I don’t know if this particular software would still be used in most departments or if they would have just moved on by this point. Particularly given that this software is the community edition I imagine most users would have moved on to other software by now, but we all know that, like Windows XP, some people will still cling to what they know is tried and true. That being said I would have to imagine that the numbers have diminished significantly in the time between the last release of Fonality TrixBox Community Edition and now.

Additionally the requirement for a user to be authenticated to exploit this vulnerability means that simply setting a strong password on affected devices will likely prevent them from being compromised by this vulnerability.

TLDR: An interesting vulnerability but seeing as the software is no longer supported and it does require authenticated access, its probably not something that should be at the top of your priority list unless you know you are running TrixBox Community Edition, in which case if you can’t upgrade it is recommended you ensure all devices have a strong password, as this will prevent users from easily being able to exploit this vulnerability.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • netfortris

Products

  • trixbox

Additional Info

Technical Analysis