FreePBX have announced that users with “Recordings” need to update to the latest version.
An unauthenticated remote attacker can run shell commands as the Asterisk user of any FreePBX machine with ‘Recordings’ versions between 13.0.12 and 13.0.26.
The recordings module lets you playback recorded system files. Due to a coding error and a PHP quirk, certain Ajax requests were unauthenticated when requesting files.
This has been fixed in Recordings 13.0.27.
For PBXact UC users on version 10.13.66 make sure you upgrade to version 10.13.66-15 or higher to receive the patch. For information on how to update your PBXact system review our wiki here.
For FreePBX Distro users on version 10.13.66 you can either upgrade the Recordings module in module admin to version 13.0.27 or upgrade to FreePBX Distro 10.13.66-15. For information on how to update your FreePBX Distro system review our wiki here.
This vulnerability was discovered by: Adrian Maertins.
As FreePBX is an appliance, any remote shell access can be leveraged to become root.
Keep in mind for security, performance, and the best user experience be sure you keep ALL modules up to date. Some security and functional updates may be delayed or unreleased by maintainers of 3rd party repositories.
It is also always good practice when requiring internet access to your PBX to run the FreePBX firewall and/or other quality firewalls in front of your system. Limit access via VPNs and where possible, such as Sangoma Phones, take advantage of native phone VPNs to minimize the exposure you must provide to potential hackers by limiting the ports you need to open.
Share this story with your friends or work colleagues. If you want to stay up to date with our latest products, industry news and offers you can sign up to our monthly newsletters, keep up to date with us on Facebook or follow us on twitter @VoIPon.