Full Report
FreePBX security advisory (AV26–596)
Analysis Summary
# Vulnerability: Multiple Authenticated RCE Flaws in FreePBX
## CVE Details
*Note: The provided advisory references security reporting IDs; specific CVE identifiers are often assigned upon publication of these GHSA advisories.*
- **CVE ID:** CVE-pending / GHSA-4jjr-8g5r-wv66 (Command Injection) & GHSA-j53p-5m8r-j3p6 (RCE)
- **CVSS Score:** ~8.8 (High/Critical - Estimated based on authenticated RCE)
- **CWE:** CWE-78 (OS Command Injection) & CWE-94 (Code Injection) / CWE-98 (File Inclusion)
## Affected Systems
- **Products:** FreePBX (User Control Panel and Superfecta modules)
- **Versions:**
- **FreePBX UCP:** Versions prior to 0.39 (v16) and 0.7 (v17)
- **FreePBX Superfecta:** Versions prior to 16.0.40 (v16) and 17.0.7 (v17)
- **Configurations:** Systems with the User Control Panel (UCP) or Superfecta modules enabled.
## Vulnerability Description
Two primary vulnerabilities were addressed:
1. **Authenticated Command Injection (UCP):** A flaw in the User Control Panel interface allows an authenticated user to inject and execute arbitrary OS commands on the underlying server.
2. **Authenticated Superfecta RCE:** An "Unsafe File Inclusion" vulnerability exists within the Superfecta module. This allows an authenticated attacker to include arbitrary files, leading to the execution of unintended PHP code (Remote Code Execution).
## Exploitation
- **Status:** PoC availability not detailed in summary, but vulnerabilities are confirmed by the vendor.
- **Complexity:** Low (to Medium depending on the authenticated role required).
- **Attack Vector:** Network (Authenticated).
## Impact
- **Confidentiality:** High (Full access to system data/files).
- **Integrity:** High (Ability to modify system configuration and telephony settings).
- **Availability:** High (Potential to disrupt PBX services or shut down the server).
## Remediation
### Patches
Users should update to the following versions or higher:
- **FreePBX UCP 16:** v0.39
- **FreePBX UCP 17:** v0.7
- **FreePBX Superfecta 16:** v16.0.40
- **FreePBX Superfecta 17:** v17.0.7
### Workarounds
- Limit network access to the FreePBX administrative and UCP interfaces to trusted IP addresses only (VPN/Internal network).
- Disable the UCP or Superfecta modules if they are not actively required for business operations.
## Detection
- **Indicators of Compromise:** Review web server logs (Apache/Asterisk) for unusual shell commands or unexpected file paths in GET/POST requests related to `ucp` and `superfecta`.
- **Detection methods and tools:** Monitor for unauthorized PHP execution or outbound network connections from the PBX web user context.
## References
- hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories/GHSA-4jjr-8g5r-wv66
- hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories/GHSA-j53p-5m8r-j3p6
- hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories?state=published
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/freepbx-security-advisory-av26-596