PT-2022-8313 · Debian+1 · Debian+1
Published
2022-06-07
·
Updated
2022-06-14
·
CVE-2019-9971
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
3CX Phone System (Debian based installation) version 16.0.0.1570
Description
The issue allows an attacker to gain root privileges without a password by utilizing the
tcpdump command with sudo. This is due to the unsafe use of the -z option (also known as postrotate-command) in conjunction with sudo.Recommendations
For version 16.0.0.1570, as a temporary workaround, consider restricting the use of the
tcpdump command with sudo until a patch is available. Avoid using the -z option with sudo to minimize the risk of exploitation.Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
3Cx Phone System
Debian