2021-09-15 SQL Injection in Asterisk Manager Users Module

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
1 min read

  • SEC- 2021-010

  • CVE Name : CVE-2021-41059.

  • Overview

    • A SQL Injection existed in FreePBX 16,15,14 and 13  in Asterisk Manager Users Module

  • Discovered By : Igor Semyonov igor@hackeruso.com  

  • Impact : 

CVSS Base Score:5.7

Impact Subscore:4.7

Exploitability Subscore:0.9

CVSS Temporal Score:5.3

CVSS Environmental Score:2.6

Modified Impact Subscore:1.9

Overall CVSS Score:2.6

 

AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:U/MC:L/MI:X/MA:X

  • Vulnerable software and versions

    • FreePBX13/FreePBX14  - module: Manager, affected version: <= 13.0.2.9. fixed version: 13.0.2.10.

    • FreePBX15 - module: Manager, affected version: <= 15.0.12. fixed version: 15.0.13.

    • FreePBX16 - module: Manager, affected version: <= 16.0.6 fixed version: 16.0.7.

       

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.
This information may include any number of items, including sensitive company data, user lists or private customer details.

So, to prevent this we used a parameterized query. A parameterized query is a query in which placeholders are used for parameters and the parameter values are supplied at execution time.
So, I have used a inbuilt function which is used to bind a parameter to the specified variable name This function bount the variables, pass their value as input and receive the output value and supplied this all at execution time

The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14, 15 and 16 to upgrade to the latest "manager" module version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@freepbx.org.

Return to Documentation Home I Return to Sangoma Support