exploit the possibilities

FreePBX Authentication Bypass / Account Creation

FreePBX Authentication Bypass / Account Creation
Posted Oct 1, 2014
Authored by Rob Thomas

A remote attacker can bypass authentication and create a false FreePBX Administrator account, which will then let them perform any action on a FreePBX system as the FreePBX user (which is often 'asterisk' or 'apache'). As of 2014/10/01 all versions of FreePBX are affected.

tags | advisory, remote, bypass
MD5 | be8e253ba1f0dd155fc81a0cab78d6ec

FreePBX Authentication Bypass / Account Creation

Change Mirror Download
Hash: SHA1

We would like to announce that a significant security vulnerability has been discovered in all current versions of FreePBX.

A CVE has been requested from Mitre, but has yet to be provided.

Further details as they come to hand will be available from http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions/24536 which should be treated as the authoritative source of information. The CVE, when provided, will be linked from there.

There is also futher information available there about how to detect and remove any potential intrusion to your FreePBX machine.

A remote attacker can bypass authentication and create a false FreePBX Administrator account, which will then let them perform any action on a FreePBX system as the FreePBX user (which is often 'asterisk' or 'apache').

This vulnerability is caused by the improper use of 'unserialize' in a legacy package that has been deprecated in the latest versions of FreePBX, but is still in common use.

An emergency security release has been pushed to resolve this for all supported versions (12, 2.11, and 2.10) as well as an emergency backport to 2.9, which is outside of our normal supported environment.

If you are running a version prior to 2.9, and are unable to upgrade, the patch is available below.

The fixed module versions are:
2.9: fw_ari v2.9.0.9
2.10: fw_ari v2.11.1.5
2.11: fw_ari v2.11.1.5 (not a typo, it’s the same module version)

In FreePBX 12 ARI is deprecated in favour of the new User Control Panel, but ARI is available as a legacy package if required, as version 12.0.5.

All versions lower than this are vulnerable and should be removed if unable to be upgraded.

Note that disabling them will NOT resolve this issue, the files must be removed or patched.

This issue was discovered by a signature verification failure on a FreePBX 12 system, and the attack appeared to be scripted. As such, this attack should be considered to be 'in the wild', and upgrades should be actioned with the utmost urgency.

FreePBX and Schmooze takes security very seriously, and treat all security issues as a critical event. We urge anyone who has discovered a security vulnerability in FreePBX, or its associated projects, to email security@freepbx.org for an immediate response.

We also continue our recommendation that your FreePBX machines are explicitly firewalled from public access from the internet.

Additional Details:

Overall CVSS Score - 6

CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8

Link to patch:

FreePBX Security Team,
Schmooze Com Inc
Version: GnuPG v2.0.14 (GNU/Linux)



RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By