Full Report
FreePBX security advisory (AV26–711)
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in FreePBX (AV26–711)
## CVE Details
*Note: Specific CVE IDs were not explicitly listed in the provided summary text, though they are associated with the following GHSA identifiers:*
- **ID:** GHSA-37j8-fhxx-9vhp (Unauthenticated RCE)
- **ID:** GHSA-g27h-xf3q-h3rm (Unauthenticated SQLi)
- **ID:** GHSA-hg3v-m857-mvw9 (Authenticated Command Injection)
- **ID:** GHSA-p97w-rq48-p8q2 (Authenticated RCE)
- **ID:** GHSA-f6hc-rqxg-ch86 (Auth Bypass via Backup)
- **CVSS Score:** Up to 10.0 (Critical)
- **CWE:** CWE-94 (Code Injection), CWE-89 (SQL Injection), CWE-77 (Command Injection)
## Affected Systems
- **Products:** FreePBX Modules (UCP, Missed Call, TTS, Music, Framework)
- **Versions:**
- **UCP (FreePBX 17):** Prior to 17.0.9
- **Missedcall:** Prior to 16.0.11 and 17.0.6
- **TTS (Text-to-Speech):** Prior to 16.0.6 and 17.0.6
- **Music:** Prior to 17.0.7
- **Framework:** Prior to 16.0.47 and 17.0.30
- **Configurations:** Systems running the User Control Panel (UCP) with socket.io enabled and systems processing inbound Caller ID names are at highest risk.
## Vulnerability Description
This advisory covers several high-impact flaws:
1. **RCE via UCP:** An unauthenticated remote code execution vulnerability exists in the User Control Panel. It involves a `socket.io` namespace authentication bypass combined with Asterisk Manager Interface (AMI) action injection.
2. **SQL Injection:** An unauthenticated SQLi vulnerability in the `missedcall` module. Attackers can inject malicious SQL through the inbound Caller ID name, potentially leading to a full administrator account takeover.
3. **Command Injection:** The TTS module is susceptible to AGI (Asterisk Gateway Interface) command injection through the "TTS Name" field.
4. **Music RCE:** Authenticated users can achieve RCE via `mpg123` and Asterisk Call Files.
5. **Auth Bypass:** Vulnerability in the Framework module allowing `AUTHTYPE` to be restored/manipulated via a crafted backup file.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild; however, the technical details are public via GHSA advisories.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Critical (Full database access and system file read).
- **Integrity:** Critical (Modification of system configuration and administrator credentials).
- **Availability:** Critical (Potential for complete system takeover or service disruption).
## Remediation
### Patches
Update modules to the following versions or higher:
- **UCP (v17):** 17.0.9
- **Missedcall:** 16.0.11 or 17.0.6
- **TTS:** 16.0.6 or 17.0.6
- **Music (v17):** 17.0.7
- **Framework:** 16.0.47 or 17.0.30
Updates can be applied via the FreePBX GUI (Module Admin) or via CLI using `fwconsole ma upgradeall`.
### Workarounds
- Protect the FreePBX management interface and UCP behind a VPN or trusted IP allowlist.
- Disable the User Control Panel (UCP) if not required for business operations.
## Detection
- **Indicators of Compromise:** Unusual administrative accounts created in the database; unexpected AMI (Asterisk Manager Interface) commands; suspicious activity in Asterisk logs (`/var/log/asterisk/full`).
- **Detection methods:** Review web server access logs for unusual POST requests to `socket.io` endpoints or the TTS configuration pages.
## References
- Vendor Security Advisories: hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories
- Official Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/freepbx-security-advisory-av26-711