Charlie Wolf

**Name of the Vulnerable Software and Affected Versions** Fonality versions 12.6 through 14.1i **Description** The issue is related to a hardcoded password for the FTP account in the Fonality software, allowing remote attackers to gain access via FTP or SSH connections. This can enable unauthorized access to protected information. **Recommendations** For versions 12.6 through 14.1i, update the software to a version released after 2016-06-01 to remove the hardcoded password. As a temporary workaround, consider changing the FTP account password to a unique and secure value until a patched version is available. Restrict access to FTP and SSH connections to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fonality (previously trixbox Pro) versions 12.6 through 14.1i **Description** The issue allows local users to obtain root access for command execution by leveraging access to the nobody account, due to weak permissions for the /var/www/rpc/surun script. **Recommendations** For versions 12.6 through 14.1i, update to a version released after 2016-06-01 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Chrome HUDweb plugin for Fonality versions 12.6 through 14.1i **Description** The issue allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a hardcoded private key from another installation. This is possible because the Chrome HUDweb plugin uses the same hardcoded private key across different customers' installations. **Recommendations** For Chrome HUDweb plugin for Fonality versions 12.6 through 14.1i, consider updating to a version released after 2016-05-05 to replace the hardcoded private key with a unique key for each installation.