2016-08-09 CVE Remote Command Execution with Privileged Escalation

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
2 min read

9-6-2016: UPDATED TO INCLUDE HOTEL WAKEUP MODULE

SEC-2016-004

Overview:

A Remote Command Execution vulnerability that results in Privileged Escalation exists in FreePBX 13 and FreePBX 14 with ‘Recordings’ and 'Hotel Wakeup':

  • Hotel Wakeup Modules versions:

    • 13.0.1alpha2 and 13.0.14

  • System Recordings Module versions:

    • 13.0.1beta1 through 13.0.26

This has been fixed in Recordings 13.0.27 and Hotel Wakeup 13.0.15

Discovered By:

Adrian Maertins <adrian(dot)maertins(at)gmail(at)com>

Impact:

CVSS 3 Details:

  • Base Score: 10

  • Temporal Score: 9.5

  • Environmental Score: 9.5

 

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H

Vulnerable software and versions:

  • FreePBX System Recordings module, between August 2015  (13.0.1beta1) and August 2016 (13.0.26).

  • FreePBX Hotel Wakeup module, between May 2015 (13.0.1alpha2) and August 2016 (13.0.14)

Note that FreePBX 12 and earlier are not affected.

  • This has been fixed in Recordings versions 13.0.27 and higher

  • This has been fixed in Hotel Wakeup versions 13.0.15 and higher

Related Information

Official Bug ticket :  FREEPBX-12908 - 2016-08-09 CVE Remote Command Execution with Privileged Escalation CLOSED

Further Details:

The recordings module lets you playback recorded files. Due to a coding error, certain Ajax requests were unauthenticated when requesting files. This allowed shell execution and privileged escalation if triggered correctly.

This has been fixed in Recordings 13.0.27

The Sangoma and FreePBX team has deemed this a serious security issue, the exploit has not been released into the wild but we have immediately released a patch to resolve it. We strongly encourage all users of FreePBX 13 & 14 to upgrade to the latest framework version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

Workaround:

If you are running a vulnerable version of the FreePBX 13, 14 System Recordings Module and are unable to upgrade, make sure that your Admin interface is not accessible from the open Internet.

Return to Documentation Home I Return to Sangoma Support