2019-12-03 Remote Command Execution

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
1 min read

SEC-2019-002

CVE ID: CVE-2019-19538

Overview:

A Remote Command Execution vulnerability that results in Privileged Escalation exists in FreePBX 13, FreePBX 14, and FreePBX 15 within the  ‘System Admin’ module.

 

Discovered By:
Dustin Cobb
Aon’s Cyber Labs
cyberlabs@aon.com

 

Impact:

  • CVSS v3.1 Details:

  • CVSS Base Score: 8.0

  • Impact Subscore: 6.0

  • Exploitability Subscore: 1.3

  • CVSS Temporal Score: 7.2

  • CVSS Environmental Score: 7.3

  • Modified Impact Subscore: 6.1

  • Overall CVSS Score: 7.3

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H

Vulnerable software and versions:

The versions listed below (or less than)

  • < sysadmin v13.0.92

  • < sysadmin v14.0.38.3

  • < sysadmin v15.0.13.6

The following versions of fixes:

  • >= sysadmin v13.0.93

  • >= sysadmin v14.0.38.4

  • >= sysadmin v15.0.13.7

Related Information

Official Bug ticket: https://issues.freepbx.org/browse/FREEPBX-20821

Further Details:

The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest version of the sysadmin module. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

 

Return to Documentation Home I Return to Sangoma Support