Sangoma FreePBX Linux Insecure Permissions

Vendor of the product: Sangoma Technologies Corporation
Affected products:
   Product: Sangoma FreePBX Linux (ISO images SNG7-PBX16-64bit)
      Versions: 2105,2109,2112,2201,2202,2203
   Product: Sangoma FreePBX Linux (ISO images SNG7-(F)PBX-64bit)
      Versions: 1805,1904,1910,2002,2008,2011,2104,2203,2302

Attack Type: Remote
Discovered: 01/02/2023
Reported: 28/02/2023
Disclosed: 10/04/2023
Affected Components: Asterisk REST Interface (ARI)
CVE assigned: CVE-2023-26567
CVSS Score: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)

Vulnerability Description: Sangoma FreePBX Linux 7 versions from 1805 to 2302, during installation from the official ISO images, add in their Asterisk list of global variables the AMPDBUSER, AMPDBPASS, AMPMGRUSER, AMPMGRPASS variables which expose cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface.

Attack Vector: To exploit the vulnerability, attackers must connect to either port 8088/tcp (HTTP/WS) or 8089/tcp (HTTPS/WSS), authenticate with the ARI service and issue a request to the specific API endpoint, as follows: /ari/asterisk/variable?variable=AMPDBPASS

Impact: If the Asterisk Database (MariaDB/MySQL) and/or Asterisk Manager Interface has been configured by the administrator to accept remote connections, attackers can issue Asterisk commands, read events, make configuration changes, extract useful information (e.g. extension passwords, SIP trunk information), download files from the filesystem and/or upload files to it (e.g. webshell).