Page tree
Skip to end of metadata
Go to start of metadata

SEC-2018-001

Overview:

Usage of a specially crafted unauthenticated URL against the login page of a FreePBX system can expose a list of the following:

  • All Advanced Settings and their current states
    • Some Advanced settings contain passwords. Please be aware of these passwords
      • FPBX_ARI_PASSWORD is a setting that includes a master password for the old ARI. It does NOT contain any passwords for the current UCP. (Old ARI has been deprecated since FreePBX 12+.)
      • PROXY_PASSWORD, PROXY_USERNAME and PROXY_ADDRESS are settings that could expose your network proxy settings (default is empty and must be configured manually).
      • PHP_CONSOLE_PASSWORD used to see debug statements through the PHP Console extension utilized through Google Chrome, must be enabled through PHP_CONSOLE (default is not enabled).
  • System Unique Identifier
  • PBX Brand, Version and type
  • List of all system extensions and their descriptions
    • This includes any dial-able extension such as feature codes, queues, ringgroups, users, devices, extensions. Anything that can be dialed through your phone and exists on your PBX can be seen in a list.

Discovered By:

Dan DoRego <ddorego(at)alterlabs(dot)com>

Impact:

CVSS 3 Details:

  • CVSS Base Score: 5.8
  • Impact Subscore: 1.4
  • Exploitability Subscore: 3.9
  • CVSS Temporal Score: 5.2
  • CVSS Environmental Score: 4.7
  • Modified Impact Subscore: 0.7
  • Overall CVSS Score: 4.2


AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:X/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

  • < framework v12.0.76.5
  • < framework v13.0.195
  • < framework v14.0.5.1

The following versions of fixes:

  • >= framework v12.0.76.6
  • >= framework v13.0.195.1
  • >= framework v14.0.5.2

Related Information

-Official Bug ticket:  FREEPBX-17493 - Getting issue details... STATUS

Further Details:

The information this vulnerability discusses can be attributed to "information leakage". An attacker can not change any of the information they are presented with. They can however potentially use this information for nefarious activities.

Sangoma strongly encourages all users of FreePBX 12, 13 and 14 to upgrade to the latest framework and ucp version. This can be done from the Module Admin GUI or the CLI. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide.

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

  • No labels