Executive Summary

Title Fonality contains a hard-coded password and embedded SSL private key
Name VU#754056 First vendor Publication 2016-06-01
Vendor VU-CERT Last vendor Modification 2016-06-02
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#754056

Fonality contains a hard-coded password and embedded SSL private key

Original Release date: 01 Jun 2016 | Last revised: 02 Jun 2016


Fonality (previously trixbox Pro) version 12.6 and later uses a hard-coded password, and the accompanying HUDweb plugin embeds a private SSL key.


CWE-259: Use of Hard-coded Password - CVE-2016-2362

According to the reporter, FTP is used to sync phone configurations for users, by use of a hard-coded username and password. The default SSH server configuration allows the FTP user to also log in via SSH and obtain a shell as the 'nobody' user.

CWE-266: Incorrect Privilege Assignment - CVE-2016-2363

According to the reporter, the script /var/www/rpc/surun has incorrect permissions, allowing the user 'nobody' to run many commands as root.

CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-2364

According to the reporter, the HUDweb plugin for Google Chrome contains a Thawte-signed SSL certificate and private key. This key is shared across all installations.

The CVSS score below is based on CVE-2016-2363.


A remote attacker with knowledge of the password may be able to log into the server as 'nobody' and execute commands as root. An attacker with knowledge of the private key may be able to conduct impersonation, man-in-the-middle, or passive decryption attacks.


Apply an update

A patch addressing CVE-2016-2362 and CVE-2016-2363 in Fonality version 12.6 and above has been released. This patch is available via the automatic updates feature. Users of versions prior to version 12.6 are encouraged to upgrade to 12.6 or later as soon as possible.

CVE-2016-2364 was addressed in a Webphone plugin update released on 2016 May 5. Users are encouraged to update their plugin to latest available version of Webphone, instead of HUDweb.

Affected users should also consider the following workarounds:

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
FonalityAffected02 Feb 201618 Apr 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://www.fonality.com/
  • https://cwe.mitre.org/data/definitions/259.html
  • https://cwe.mitre.org/data/definitions/266.html
  • https://cwe.mitre.org/data/definitions/321.html


Thanks to Charlie Wolf for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-2362CVE-2016-2363CVE-2016-2364
  • Date Public:01 Jun 2016
  • Date First Published:01 Jun 2016
  • Date Last Updated:02 Jun 2016
  • Document Revision:48


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/754056

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-310 Cryptographic Issues
50 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

Application 3
Application 1

Alert History

If you want to see full details history, please login or register.
Date Informations
2016-06-22 00:38:21
  • Multiple Updates
2016-06-21 17:36:22
  • Multiple Updates
2016-06-20 09:43:26
  • Multiple Updates
2016-06-02 21:24:20
  • Multiple Updates
2016-06-01 21:22:08
  • First insertion