what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FreePBX Authentication Bypass / Account Creation

FreePBX Authentication Bypass / Account Creation
Posted Oct 1, 2014
Authored by Rob Thomas

A remote attacker can bypass authentication and create a false FreePBX Administrator account, which will then let them perform any action on a FreePBX system as the FreePBX user (which is often 'asterisk' or 'apache'). As of 2014/10/01 all versions of FreePBX are affected.

tags | advisory, remote, bypass
SHA-256 | 260d4b01eefece16b936fcbf58b1831d277210366a095cd34a9abbeb2d4109df

FreePBX Authentication Bypass / Account Creation

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We would like to announce that a significant security vulnerability has been discovered in all current versions of FreePBX.

A CVE has been requested from Mitre, but has yet to be provided.

Further details as they come to hand will be available from http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions/24536 which should be treated as the authoritative source of information. The CVE, when provided, will be linked from there.

There is also futher information available there about how to detect and remove any potential intrusion to your FreePBX machine.

Summary:
A remote attacker can bypass authentication and create a false FreePBX Administrator account, which will then let them perform any action on a FreePBX system as the FreePBX user (which is often 'asterisk' or 'apache').

This vulnerability is caused by the improper use of 'unserialize' in a legacy package that has been deprecated in the latest versions of FreePBX, but is still in common use.

An emergency security release has been pushed to resolve this for all supported versions (12, 2.11, and 2.10) as well as an emergency backport to 2.9, which is outside of our normal supported environment.

If you are running a version prior to 2.9, and are unable to upgrade, the patch is available below.

The fixed module versions are:
2.9: fw_ari v2.9.0.9
2.10: fw_ari v2.11.1.5
2.11: fw_ari v2.11.1.5 (not a typo, it’s the same module version)

In FreePBX 12 ARI is deprecated in favour of the new User Control Panel, but ARI is available as a legacy package if required, as version 12.0.5.

All versions lower than this are vulnerable and should be removed if unable to be upgraded.

Note that disabling them will NOT resolve this issue, the files must be removed or patched.

This issue was discovered by a signature verification failure on a FreePBX 12 system, and the attack appeared to be scripted. As such, this attack should be considered to be 'in the wild', and upgrades should be actioned with the utmost urgency.

FreePBX and Schmooze takes security very seriously, and treat all security issues as a critical event. We urge anyone who has discovered a security vulnerability in FreePBX, or its associated projects, to email security@freepbx.org for an immediate response.

We also continue our recommendation that your FreePBX machines are explicitly firewalled from public access from the internet.

Additional Details:

Overall CVSS Score - 6

CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8

Link to patch:
https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836

FreePBX Security Team,
Schmooze Com Inc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJUK1tIAAoJEFH1to0lFV3LLXYQALYBvxM8dNl7GZKoB5WOKIgK
gLXW7L9r3FfCOaFDHNoleexa/rnfnstzCRoRjFrittEC/Terj1NeY0hBtW4CPM8G
29fwNTeaeS1qtWnGNHs4E2cI4NGrn9OisLIHrXIBnLAkw83u1DmB3eL2d5haeek9
z5A5lK8p7uDLlOhSs+6IUVpk2r/P27shFOexrW1TfLZ8pghBkW32WUeROH/S6aRI
YnQpy99hJ3ei2JNYtT+jtIuylXOI+FNgfdf4GS60Qi2kTLoeRIM+y+n9+RYCNQer
65vPHN0nijkyTOTnlGXu+2o7Onb+jQrH16cUgvNrLSUn11REkJDXvfL1VL9fdZ7V
yRw1hAjkW77RmIOObvzRu2WMBi9uzuJTTmHGpywuTB30hbcwttZZYXXGD4Ukj66G
syF/MTMCRbhqSDsGuivNO3tr1fNfHOnqGguTLsozB00XfBQxl//rm5i867VhzYWr
W75FuWnGE9YqMitC7WXqIMMU4r87TQKSh+eVlHoqVNMboPuSO1b4tBq61+jYAlZA
dJThgizHzJLBTCCnWrEZ/vsrlKTyeKQX2/Ku1DijAzLwJ6/XDy2lLF0V5AT7gMEP
ScwlnKiymfM8Lp53W3yqGgCA6Qx9N4zoXsW8WLJE7IqhvWVoKh3NX3iUs50yT1Ji
eStbkZHo4yQKbar/xKj0
=oHVE
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close