QwikSec

Security Database

CVE

CWE

Training

CVE-2019-9971

Published: Jun 7, 2022

Modified: Aug 4, 2024

PUBLISHED

Description

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an attacker to gain root privileges by using sudo with the tcpdump command, without a password. This occurs because the -z (aka postrotate-command) option to tcpdump can be unsafe when used in conjunction with sudo.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.securusglobal.com/community/2014/03/17/how-i-got-root-with-sudo/

x_refsource_MISC

https://www.gosecure.net/blog

x_refsource_MISC

https://www.gosecure.net/blog/2022/05/31/security-advisory-multiple-vulnerabilities-impact-3cx-phone-system/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.