Full Report
FreePBX security advisory (AV26-680)
Analysis Summary
# Vulnerability: Multiple Authenticated Vulnerabilities in FreePBX 17
## CVE Details
*Note: Specific CVE IDs were not explicitly listed in the advisory summary, but the vulnerabilities are tracked via GitHub Security Advisories.*
- **CVE ID:** Pending/assigned via GHSA-79rg-3xp6-rqq6 and GHSA-24w6-hpg3-rwfg
- **CVSS Score:** High (Subject to final vendor/NVD scoring)
- **CWE:** CWE-77 (Command Injection), CWE-94 (Code Injection/SSH Key Injection)
## Affected Systems
- **Products:** FreePBX API and FreePBX Backup
- **Versions:**
- FreePBX API (FreePBX 17): Versions prior to 17.0.9
- FreePBX Backup (FreePBX 17): Versions prior to 17.0.11
- **Configurations:** Systems running FreePBX 17 with the API or Backup modules enabled.
## Vulnerability Description
Two distinct security flaws were identified in FreePBX 17 components:
1. **Host Command Injection (API Module):** An authenticated vulnerability in the `generatedocs` functionality of the API. Improper validation of input allows an attacker to inject arbitrary commands into a host-level execution call.
2. **SSH Key Injection (Backup Module):** An authenticated vulnerability within the Backup module that allows for the injection of arbitrary SSH keys. This could grant an attacker persistent, unauthorized remote access to the underlying operating system via SSH.
## Exploitation
- **Status:** Not reported as exploited in the wild at the time of advisory.
- **Complexity:** Medium (Requires authenticated access to the FreePBX management interface).
- **Attack Vector:** Network (Web-based management interface).
## Impact
- **Confidentiality:** High (Full access to system files and PBX data).
- **Integrity:** High (Ability to modify configuration and system files).
- **Availability:** High (Potential for complete system takeover or service disruption).
## Remediation
### Patches
The following versions address these vulnerabilities. Users should update via the FreePBX Module Admin or CLI immediately:
- **FreePBX API:** Update to version **17.0.9** or higher.
- **FreePBX Backup:** Update to version **17.0.11** or higher.
### Workarounds
- **Restrict Access:** Ensure the FreePBX administration interface is not exposed to the public internet. Use VPNs or trusted IP allow-lists.
- **Principle of Least Privilege:** Audit administrative users and remove any unnecessary accounts to reduce the threat surface for authenticated attacks.
## Detection
- **Indicators of Compromise:**
- Monitor `~/.ssh/authorized_keys` for any unrecognized SSH keys.
- Check web server logs for suspicious activity targeting the API `generatedocs` endpoint.
- Review system logs for unexpected outbound connections or command executions originating from the `asterisk` or `www-data` users.
- **Detection methods:** Use file integrity monitoring (FIM) on critical configuration directories.
## References
- hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories/GHSA-79rg-3xp6-rqq6
- hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories/GHSA-24w6-hpg3-rwfg
- hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories?state=published
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/freepbx-security-advisory-av26-680