Friday, October 24, 2014

FreePBX Critical RCE Vulnerability




FreePBX vulnerability http://snapvoip.blogspot.com/

The FreePBX team has bee made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit related to the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. The exploit can compromise any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.

The exploit allows anyone including hackers to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which could be used to grant the attacker full remote code execution access as the user running the Apache process.

The FreePBX team has released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12. For users  of FreePBX versions 2.8 and prior need to be upgraded a supported version. This could easily be done through Module Admin which will remove the vulnerability. Versions 2.11 and 12 are the only officially supported versions of FreePBX so whay not be current.

FreePBX is warning users of a critical RCE vulnerability

CVE: 2014-7235
Date: 2014-09-30
Author: James Finstrom
Ticket: http://issues.freepbx.org/browse/FREEPBX-8070

UPDATE:
Please run the commands in
http://wiki.freepbx.org/display/L1/FreePBX+Security+Scan

0 comments:

Blog Widget by LinkWithin