CVE-2019-12147 – CVE-2019-12147 is an argument injection vulnera... (How to Fix)

Q: What is the severity of CVE-2019-12147?

CVE-2019-12147 has a CVSS score of 9.8 (CRITICAL). CVE-2019-12147 is an argument injection vulnerability in Sangoma Session Border Controller's web interface that allows unauthenticated attackers to create privileged system users. Successful exploitation leads to complete device compromise via sudo privileges. This affects Sangoma SBC version 2.3.23-119 GA.

📋 TL;DR

CVE-2019-12147 is an argument injection vulnerability in Sangoma Session Border Controller's web interface that allows unauthenticated attackers to create privileged system users. Successful exploitation leads to complete device compromise via sudo privileges. This affects Sangoma SBC version 2.3.23-119 GA.

💻 Affected Systems

Products:

Sangoma Session Border Controller

Versions: 2.3.23-119 GA

Operating Systems: Linux-based embedded OS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default web interface configuration. No special configuration required for exploitation.

📦 What is this software?

Session Border Controller Firmware by Sangoma

View all CVEs affecting Session Border Controller Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover: attacker gains root-level access, can modify configurations, intercept traffic, install persistent backdoors, and pivot to other network systems.

🟠

Likely Case

Unauthenticated attacker creates sudo user, logs in via SSH/web interface, and gains full control of the SBC device to intercept/modify VoIP traffic.

🟢

If Mitigated

If properly patched or network-isolated, impact is limited to denial of service attempts or failed exploitation attempts.

🌐 Internet-Facing: HIGH - Web interface is typically internet-facing for remote management, allowing direct exploitation without network access.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers, but requires network access to the SBC management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available since 2019. Exploitation requires sending specially crafted HTTP requests to the web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.3.23-119 GA

Vendor Advisory: https://help.sangoma.com/community/s/article/Sangoma-SBC-Security-Vulnerability-October-2019

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to latest Sangoma SBC version. 3. Apply security patches from vendor. 4. Restart the SBC device. 5. Verify no unauthorized users exist in system.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict access to SBC web interface management IP/port

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Web Interface

linux

Temporarily disable web management interface if not required

systemctl stop apache2
systemctl disable apache2

🧯 If You Can't Patch

Implement strict network ACLs to allow only trusted IPs to access SBC management interface
Monitor system logs for unauthorized user creation attempts and review existing users for suspicious accounts

🔍 How to Verify

Check if Vulnerable:

Check if running affected version: grep '2.3.23-119' /etc/issue or check web interface version. Test with proof-of-concept if authorized.

Check Version:

cat /etc/issue | grep Sangoma or check web interface login page for version information

Verify Fix Applied:

Verify version is updated beyond 2.3.23-119. Attempt exploitation with authorized testing to confirm patch effectiveness.

📡 Detection & Monitoring

Log Indicators:

Unauthorized user creation in /var/log/auth.log
Web interface POST requests with special characters in username field
sudo privilege escalation attempts from new users

Network Indicators:

HTTP POST requests to /var/webconfig/gui/Webconfig.inc.php with injection payloads
SSH login attempts from newly created users

SIEM Query:

source="auth.log" AND ("useradd" OR "new user" OR "sudo") AND NOT user="root" AND NOT user="admin"

📊 Metadata

CVE ID: CVE-2019-12147

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-88

Published: October 22, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/154914/Sangoma-SBC-2.3.23-119-GA-Unauthenticated-User-Creation.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Oct/40 Exploit,Mailing List,Third Party Advisory
https://blog.appsecco.com Not Applicable
http://packetstormsecurity.com/files/154914/Sangoma-SBC-2.3.23-119-GA-Unauthenticated-User-Creation.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Oct/40 Exploit,Mailing List,Third Party Advisory
https://blog.appsecco.com Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12147, you might also want to check these: