lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Oct 2014 11:30:38 +1000
From: Rob Thomas <rob.thomas@...moozecom.com>
To: fulldisclosure@...lists.org
Subject: [FD] FreePBX (All Versions) RCE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We would like to announce that a significant security vulnerability has
been discovered in all current versions of FreePBX.

A CVE has been requested from Mitre, but has yet to be provided.

Further details as they come to hand will be available from
http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions/24536
which should be treated as the authoritative source of nformation. The CVE,
when provided, will be linked from there.

There is also futher information available there about how to detect and
remove any potential intrusion to your FreePBX machine.

Summary:
A remote attacker can bypass authentication and create a false FreePBX
Administrator account, which will then let them perform any action on a
FreePBX system as the FreePBX user (which is often ‘asterisk’ or ‘apache’).

This vulnerability is caused by the improper use of ‘unserialize’ in a
legacy package that has been deprecated in the latest versions of FreePBX,
but is still in common use.

An emergency security release has been pushed to resolve this for all
supported versions (12, 2.11, and 2.10) as well as an emergency backport to
2.9, which is outside of our normal supported environment.

If you are running a version prior to 2.9, and are unable to upgrade, the
patch is available below.

The fixed module versions are:
2.9: fw_ari v2.9.0.9
2.10: fw_ari v2.11.1.5
2.11: fw_ari v2.11.1.5 (not a typo, it’s the same module version)

In FreePBX 12 ARI is deprecated in favour of the new User Control Panel,
but ARI is available as a legacy package if required, as version 12.0.5.

All versions lower than this are vulnerable and should be removed if unable
to be upgraded.

Note that disabling them will NOT resolve this issue, the files must be
removed or patched.

This issue was discovered by a signature verification failure on a FreePBX
12 system, and the attack appeared to be scripted. As such, this attack
should be considered to be ‘in the wild’, and upgrades should be actioned
with the utmost urgency.

FreePBX and Schmooze takes security very seriously, and treat all security
issues as a critical event.  We urge anyone who has discovered a security
vulnerability in FreePBX, or its associated projects, to email
security@...epbx.org for an immediate response.

We also continue our recommendation that your FreePBX machines are
explicitly firewalled from public access from the internet.

Additional Details:

Overall CVSS Score - 6

CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score  - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8

Link to patch:
https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836

FreePBX Security Team,
Schmooze Com Inc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJUK1jMAAoJEFH1to0lFV3LfjoP/j3+Aj6sRh2Q59G8maHROGCG
Rgs48QeP+Y8bcJ7UhgMGCpo/axaAkMp15u29ktNxqTjYnO17UMUsf2mYynSAK5Ce
e0P1WpHdUrqlXBIuQjrBOOCdPNrN9gJdFsL/nLJbsGyzkCJ3czKlmUyhGyYO3xDB
KDw+HIA7keh97MHefCz6CtEV5aNrynPpTOLYgfLJcnUsjQKcoXptDPR4fCgFyEld
+3Z45mNasr9pbZbsKBeCZIQK3fd4aNM90Y0BQ2Vb6ePF79I+o6gdKrXswvntuOwV
/ilLM2Rg9ixpUW+gXSUA/mwEXuk+eT1cngi9lnxMH46mRPF5oOXYOtW3bnVBPUgC
m1VSz/H8ogpgspLoI/4K1sL14vDYNuwDJFk5i3m/q5ShgiAa9+AGLTLJv94e1GFL
vJcCX5ASJdRqgZYAfQCnh5RCGB3w2gD2f7CNcjBcBbfoDa80EL9mryHdOeZDAJpa
4awVxa4KvSqiindWikKjCQJTR93QEEpgaByam8a4kSXUplRxpKS1TwCSu/nttOfV
+oJJ6lCnTZw9GSSj18Rrdj0P1s0YVbHaOuwPyqpbk+2l7B7dmAWNTAXIOiGCW4GP
eiBXkIZ2bpjgt86G0YLqAUZw0UP+m3xFBxmwODx83Kqwms50dCuH31hz317wt+XN
zD+fgpg6xiPyddpw27XR
=J1yz
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists