CVE-2017-18923

Vulnerability

A PHP script on beroNet VoIP Gateways allows downloading arbitrary files from the filesystem without authentication [1][2]. This includes SIP configuration files, /etc/shadow, and the configuration database. The vulnerability affects all firmware versions 2.x and 3.x, with the fix introduced in version 3.0.16 and later 16.x releases [2]. The script is accessible via the web interface, and the attack requires the gateway's HTTP port to be reachable [1].

Exploitation

An attacker needs network access to the HTTP port of the gateway; no authentication is required [1]. The attacker can directly access the vulnerable PHP script to download sensitive files. According to reports, attacks began between Christmas and New Year 2016/2017, likely targeting periods of low staffing [1]. The attacker can download the SIP configuration to obtain provider credentials [1][2].

Impact

Successful exploitation allows the attacker to read arbitrary files, including SIP credentials, which can be used to make fraudulent calls, causing financial loss [1][2]. The attacker may also obtain other sensitive data such as password hashes from /etc/shadow or the configuration database [2].

Mitigation

The vulnerability is fixed in firmware version 3.0.16 and all 16.x versions (starting from 16.05) [2]. Users on the 2.x branch must upgrade to a supported version, as 2.x is no longer maintained [1]. As a workaround, restrict HTTP access to the gateway via firewall or ACL to trusted administrators only [1][2]. After an attack, all passwords stored on the gateway should be changed [1][2].