AsteriskNOW Critical FreePBX RCE Vulnerability

Get help with installing and running AsteriskNOW.

Moderators: Moderator, Support

AsteriskNOW Critical FreePBX RCE Vulnerability

Postby chinkle » Wed Oct 01, 2014 2:14 pm

AsteriskNOW versions 5.211.65 - security notice

We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.

This exploit allows users to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which may then be used to grant the attacker full remote code execution access as the user running the Apache process.

Please refer to this link for additional details:
http://community.freepbx.org/t/critical ... 7235/24536

It is highly recommended AsteriskNOW versions 5.211.65-12 and 5.211.65-18 be upgraded to version 19.
Instructions: http://wiki.freepbx.org/display/FD/Upda ... ial+Distro
chinkle
Newsterisk
 
Posts: 3
Joined: Thu Apr 10, 2014 2:13 pm

Return to AsteriskNOW Support

Who is online

Users browsing this forum: No registered users and 1 guest