Security Vulnerability Notice

FreePBX UpdatesWe are blogging to inform you of a recently discovered security vulnerability reported yesterday in FreePBX Ticket 7123 (originally reported in ticket 7117 which is locked because of sensitive information). All FreePBX versions FreePBX 2.9 before 2.9.0.14, FreePBX 2.10 before 2.10.1.15, FreePBX 2.11 before 2.11.0.23, and FreePBX 12 before 12.0.1alpha22 are affected. You should immediately update your FreePBX Framework Module to secure your system from a potential attack.

The vulnerability is a Remote Command Execution (RCE) attack which means a compromised PBX can have any system command executed on it. This may result in serious damage to the system or extraction of passwords and other credentials accessible to the apache user (which is asterisk on most systems).

There were no known exploits at the time this issue was reported but upon going public it is common for hackers to develop scripts to scan the internet in an attempt to find vulnerable systems. The primary attack mode would be blocked on a system that uses HTTP authentication as some Distros set by default. Unfortunately, it is trivial to develop an XSS (Cross Site Scripting) attack that could indirectly access this vulnerability and allow an attacker to get access to any logged in system using all FreePBX authentication options. As such, all systems are vulnerable and should be updated. The fix addresses all attack modes.

(CVE-2014-1903)

Please make sure to update your systems immediately. We informed project teams of the other popular FreePBX Distro’s earlier today as well as Certified Hosting Partners.

The FreePBX and Schmooze Team!

4 thoughts on “Security Vulnerability Notice

  1. It appears ticket 7120 may be the first sign of an exploit against this vulnerability. As a result of posting the blog, Mustardman has provided additional logs upon the development team’s request that appear to indicate the same attack mechanism. If there is additional helpful information it will be attached to the master ticket 7123 since his ticket 7120, and the original ticket 7117 under which this vulnerability was first reported will remain locked due to sensitive data.

  2. Hi, can you confirm that access to the FreePBX web site on port 80 is needed? It looks that way from the bug post but I’d like to confirm this.

    Thanks,
    Tim Miller Dyck

  3. The admin GUI must be accessible, through port 80 unless you’ve configured something different (e.g. https/443) for this attack. Whether or not you have your site protected by a firewall (which is highly recommended), you want to apply this fix.

Leave a Reply