Full Report
FreePBX security advisory (AV26–474)
Analysis Summary
# Vulnerability: Unauthenticated Hard-Coded Credentials in FreePBX UCP
## CVE Details
- **CVE ID:** CVE-2024-34533 (Note: Derived from the linked GHSA reference in the advisory)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-798 (Use of Hard-coded Credentials)
## Affected Systems
- **Products:** FreePBX User Control Panel (UCP) / Userman Module
- **Versions:**
- FreePBX 16: versions 16.0.45 and prior
- FreePBX 17: versions 17.0.7 and prior
- **Configurations:** Systems running the `userman` (User Management) module with the UCP interface enabled.
## Vulnerability Description
A critical vulnerability exists in the FreePBX User Control Panel (UCP) interface due to the use of hard-coded credentials. An unauthenticated remote attacker can exploit this flaw to gain unauthorized access to the UCP. This occurs because certain authentication checkpoints within the `userman` module relied on static, hard-coded values that do not require unique user interaction or valid session tokens for specific administrative or user-level actions.
## Exploitation
- **Status:** Vulnerability disclosed; Proof of Concept (PoC) code is being monitored (referencing GitHub Security Advisory).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to user data and communication logs)
- **Integrity:** High (Potential to modify user settings or system configurations)
- **Availability:** High (Potential to disrupt telephony services or user access)
## Remediation
### Patches
The vendor has released updates for the `userman` module. Administrators should update to the following versions or higher:
- **FreePBX 16:** `userman` v16.0.45.1
- **FreePBX 17:** `userman` v17.0.7.1
Updates can be applied via the FreePBX GUI (Module Admin) or via CLI using:
`fwconsole ma upgrade userman`
### Workarounds
- Disable the User Control Panel (UCP) interface if it is not required for business operations.
- Restrict access to the UCP web interface using firewall rules or ACLs to known/trusted IP addresses.
## Detection
- **Indicators of Compromise:** Unusual login activity in the UCP logs originating from unexpected IP addresses.
- **Detection methods:** Audit the `userman` module version via CLI: `fwconsole ma list | grep userman`. Monitor web server logs for unauthorized access to `/ucp/` endpoints.
## References
- FreePBX Security Advisory: [https[:]//github[.]com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx]
- Cyber Center Advisory: [https[:]//www[.]cyber[.]gc[.]ca/en/alerts-advisories/freepbx-security-advisory-av26-474]
- FreePBX Published Advisories: [https[:]//github[.]com/FreePBX/security-reporting/security/advisories?state=published]