Sangoma FreePBX Linux Hardcoded Credentials

Vulnerability Type: Hardcoded Credentials
Vendor of the product: Sangoma Technologies Corporation
Affected products:
   Product: Sangoma FreePBX Linux 7 (ISO images SNG7-PBX16-64bit)
      Versions: 2105,2109,2112,2201,2202,2203
   Product: Sangoma FreePBX Linux 7 (ISO images SNG7-(F)PBX-64bit)
      Versions: 1805,1904,1910,2002,2008,2011,2104,2203

Attack Type: Remote
Discovered: 01/02/2023
Reported: 16/02/2023
Disclosed: 10/04/2023
Affected Components: Asterisk REST Interface (ARI)
CVE assigned: CVE-2023-26566
CVSS Score: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)

Vulnerability Description: Sangoma FreePBX Linux 7 versions 1805 to 2203, when installed from the official ISO images, contain hardcoded credentials for the Asterisk REST Interface (ARI), which could allow remote attackers to reconfigure Asterisk and make external and internal calls via HTTP(S) and Web Socket requests sent to the API.

Attack Vector: To exploit the vulnerability, attackers must connect to either port 8088/tcp (HTTP/WS) or 8089/tcp (HTTPS/WSS) and authenticate with the ARI service using the hardcoded credentials of the vulnerable software/distribution version.

Impact: Attackers can utilize the ARI functionality via ports 8088/tcp and/or 8089/tcp to create Asterisk apps and endpoints, make internal and external calls, and/or retrieve authentication and system information that could help in formulating further attacks against the system and its users.