CVE-2019-12147

Name of the Vulnerable Software and Affected Versions Sangoma Session Border Controller (SBC) version 2.3.23-119 GA

Description The issue allows for Argument Injection via special characters in the username field, enabling a remote unauthenticated user to create a local system user with sudo privileges. This can lead to complete compromise of the device, as the created user can login to the system via the web interface or SSH. The vulnerable components include /var/webconfig/gui/Webconfig.inc.php and /usr/local/sng/bin/sng-user-mgmt.

Recommendations For Sangoma Session Border Controller (SBC) version 2.3.23-119 GA, consider restricting access to the web interface until a patch is available, and avoid using special characters in the username field to minimize the risk of exploitation. As a temporary workaround, restrict the creation of local system users with sudo privileges to prevent potential compromise.