CVE-2019-12147

The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the system (either via the web interface or via SSH) to achieve complete compromise of the device. This affects /var/webconfig/gui/Webconfig.inc.php and /usr/local/sng/bin/sng-user-mgmt.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 5.0 MEDIUM

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/154914/Sangoma-SBC-2.3.23-119-GA-Unauthenticated-User-Creation.html	Exploit Third Party Advisory VDB Entry
https://blog.appsecco.com	Not Applicable
http://seclists.org/fulldisclosure/2019/Oct/40	Exploit Mailing List Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:sangoma:session_border_controller_firmware:2.3.23-119-ga:*:*:*:*:*:*:*

cpe:2.3:h:sangoma:session_border_controller:-:*:*:*:*:*:*:*

Information

Published : 2019-10-22 09:15

Updated : 2020-08-24 10:37

NVD link : CVE-2019-12147

Mitre link : CVE-2019-12147

JSON object : View

CWE

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Advertisement

Products Affected

sangoma

session_border_controller_firmware
session_border_controller

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://packetstormsecurity.com/files/154914/Sangoma-SBC-2.3.23-119-GA-Unauthenticated-User-Creation.html", "name": "http://packetstormsecurity.com/files/154914/Sangoma-SBC-2.3.23-119-GA-Unauthenticated-User-Creation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "https://blog.appsecco.com", "name": "https://blog.appsecco.com", "tags": ["Not Applicable"], "refsource": "MISC"}, {"url": "http://seclists.org/fulldisclosure/2019/Oct/40", "name": "20191018 Sangoma SBC local sudo user creation vulnerability without authentication - CVE-2019-12147", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "refsource": "FULLDISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the system (either via the web interface or via SSH) to achieve complete compromise of the device. This affects /var/webconfig/gui/Webconfig.inc.php and /usr/local/sng/bin/sng-user-mgmt."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-88"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-12147", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2019-10-22T16:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:sangoma:session_border_controller_firmware:2.3.23-119-ga:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:sangoma:session_border_controller:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2020-08-24T17:37Z"}