CVE-2016-2364 - Vulnerability Details - OpenCVE

ReportizFlow

The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fonality	Fonality Hud Web

Configuration 1 [-]

AND

cpe:2.3:a:fonality:hud_web:*:*:*:*:*:fonality:*:*

OR	cpe:2.3:a:fonality:fonality:12.6:::::::*
	cpe:2.3:a:fonality:fonality:12.8:::::::*
	cpe:2.3:a:fonality:fonality:14.1i:::::::*

No data.

References

Link	Providers
http://www.kb.cert.org/vuls/id/754056

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2016-06-20T01:00:00

Updated: 2024-08-05T23:24:49.124Z

Reserved: 2016-02-12T00:00:00

Link: CVE-2016-2364

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-06-20T01:59:05.820

Modified: 2025-04-12T10:46:40.837

Link: CVE-2016-2364

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-06-01T00:00:00", "descriptions": [{"lang": "en", "value": "The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-06-20T01:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#754056", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/754056"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2016-2364", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#754056", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/754056"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:24:49.124Z"}, "title": "CVE Program Container", "references": [{"name": "VU#754056", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/754056"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2016-2364", "datePublished": "2016-06-20T01:00:00", "dateReserved": "2016-02-12T00:00:00", "dateUpdated": "2024-08-05T23:24:49.124Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fonality:hud_web:*:*:*:*:*:fonality:*:*", "matchCriteriaId": "BD35F1F1-F0AA-46F9-B24C-66554B45F7C4", "versionEndIncluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:fonality:fonality:12.6:*:*:*:*:*:*:*", "matchCriteriaId": "29E9F615-9032-40D5-85C1-7585095A4CE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fonality:fonality:12.8:*:*:*:*:*:*:*", "matchCriteriaId": "5E12C4A8-CE71-438B-BA3E-834C0B3B8E45", "vulnerable": true}, {"criteria": "cpe:2.3:a:fonality:fonality:14.1i:*:*:*:*:*:*:*", "matchCriteriaId": "422FB29B-AB6B-4742-9331-DAC5F4A91315", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation."}, {"lang": "es", "value": "El plugin Chrome HUDweb en versiones anteriores a 2016-05-05 para Fonality (anteriormente trixbox Pro) 12.6 hasta la versi\u00f3n 14.1i utiliza la misma clave privada embebida para instalaciones de diferentes clientes, lo que permite a atacantes remotos vencer los mecanismos de protecci\u00f3n criptogr\u00e1fica aprovechando el conocimiento de esta clave de otra instalaci\u00f3n."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/321.html\">CWE-321: Use of Hard-coded Cryptographic Key</a>", "id": "CVE-2016-2364", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2016-06-20T01:59:05.820", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/754056"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/754056"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}, {"lang": "en", "value": "NVD-CWE-Other"}], "source": "[email protected]", "type": "Primary"}]}