Lucene search

MitreCVE-2007-6424

HistoryDec 18, 2007 - 7:46 p.m.

CVE-2007-6424

2007-12-1819:46:00

CWE-264

mitre

web.nvd.nist.gov

cve-2007-6424

fonality trixbox 2.0 pbx

registry.pl

dns spoofing attack

command execution

remote code execution

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

7.4

Confidence

High

EPSS

0.008

Percentile

82.0%

JSON

registry.pl in Fonality Trixbox 2.0 PBX products, when running in certain environments, reads and executes a set of commands from a remote web site without sufficiently validating the origin of the commands, which allows remote attackers to disable trixbox and execute arbitrary commands via a DNS spoofing attack.

Affected configurations

Nvd

Node

netfortristrixboxMatch2.0

VendorProductVersionCPE
netfortristrixbox2.0cpe:2.3:a:netfortris:trixbox:2.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
netfortris	trixbox	2.0	cpe:2.3:a:netfortris:trixbox:2.0:::::::*

References

osvdb.org/44136

voipsa.org/blog/2007/12/17/trixbox-contains-phone-home-code-to-retrieve-arbitrary-commands-to-execute/

voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html

voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002528.html

voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002533.html

www.superunknown.org/pivot/entry.php?id=15

www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

7.4

Confidence

High

EPSS

0.008

Percentile

82.0%

JSON

Related for CVE-2007-6424