2022-04-12 SECURITY: Potential RCE Issue
- Nathaniel Halbrooks
CVE ID: TBD
Overview:
Remote execution vulnerabilities have been discovered in the "voicemail , core , sms and pms " modules for the FreePBX 13+ Systems.
Discovered By: thongvv3 from Viettel Cyber Security
Impact:
CVSS Base Score: 8.8
Impact Subscore: 5.9
Exploitability Subscore: 2.8
CVSS Temporal Score: 8.4
CVSS Environmental Score: 6.0
Modified Impact Subscore: 3.5
Overall CVSS Score: 6.0
Vulnerable software and versions:
The following versions has the fix:
FreePBX 13 -
> Core v13.0.132
> PMS v13.0.3
FreePBX 14 -
> Core v14.0.29
> Voicemail v14.0.7
> PMS v14.0.3
> SMS v14.0.5
FreePBX 15 -
> Core v15.0.22
> Voicemail v15.0.23
> PMS v15.0.3
> SMS v15.0.27
FreePBX 16 -
> Core v16.0.63
> Voicemail v16.0.38
> PMS v16.0.18
> SMS v16.0.13
Related Information
Internal use: FREEI-4350
Further Details:
A Remote Code Evaluation is a vulnerability that can be exploited if user input is injected into a File or a String and executed by the programming language's parser. Usually this behavior is not intended by the developer of the web application. A Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also web server.
Remote execution vulnerabilities exist in the affected modules where its allowing to upload the any type of files (e.g. php file with shell commands in it) which potentially allowing an RCE , so to prevent this we are validating against uploaded file extension and allowing only supported formats.
The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX Distro to upgrade to the latest versions noted above. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please seehttps://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .
Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@sangoma.com.