2023-08-28 SECURITY: Potential Rest Phone Apps Authentication issue

Owned by Nathaniel Halbrooks
Last updated: Mar 11, 2024 by Lorne Gaetz (Unlicensed)
1 min read

SEC-2023-001

 

CVE ID:   CVE-2023-41903.

Overview:

The FreePBX modules and versions noted below have an authentication vulnerability in the Rest Phone Apps module that potentially allows for unauthorized users to bypass password authentication and access services provided by the Phone Apps module.

Discovered By:  Systems Research Group <systems.research.group@protonmail.com

Impact:

CVSS Base Score:7.3

Impact Subscore:3.4

Exploitability Subscore:3.9

CVSS Temporal Score:6.6

CVSS Environmental Score:5.2

Modified Impact Subscore:1.9

Overall CVSS Score:5.2

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:L/MA:L&version=3.1

 

Vulnerable software and versions:

The following minimum modules/versions are fixed: 

FreePBX 15 -

  • Endpoint Manager v15.0.65

  • Restapps  v15.0.41

FreePBX 16 -

  • Endpoint Manager v16.0.86

  • Restapps  v16.0.35

Further Details:

 

FreePBX has an authentication vulnerability in the Phone Rest Apps module that potentially allows unauthorized users to bypass password authentication and access services provided by the Phone Apps module.

The Sangoma and FreePBX engineering team has deemed this a minor security issue. We strongly encourage all users of FreePBX Distro to upgrade to the latest versions noted above. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at Security Information

Return to Documentation Home I Return to Sangoma Support