FreePBX Critical RCE Vulnerability
FreePBX vulnerability http://snapvoip.blogspot.com/
The FreePBX team has bee made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit related to the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. The exploit can compromise any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.
The exploit allows anyone including hackers to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which could be used to grant the attacker full remote code execution access as the user running the Apache process.
The FreePBX team has released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12. For users of FreePBX versions 2.8 and prior need to be upgraded a supported version. This could easily be done through Module Admin which will remove the vulnerability. Versions 2.11 and 12 are the only officially supported versions of FreePBX so whay not be current.
FreePBX is warning users of a critical RCE vulnerability
CVE: 2014-7235
Date: 2014-09-30
Author: James Finstrom
Ticket: http://issues.freepbx.org/browse/FREEPBX-8070
UPDATE:
Please run the commands in
http://wiki.freepbx.org/display/L1/FreePBX+Security+Scan
0 comments:
Post a Comment