NZNOG’s been a bit quiet lately!
This might be of interest or relevance to NZ Operators, so FYI…
Cheers
Mark.
From: AusNOG On Behalf Of Rob Thomas
Sent: Wednesday, 20 November 2019 4:24 pm
To:
Subject: [AusNOG] Heads up: Super awful FreePBX RCE
If you have any FreePBX machines floating around, now is the time to make sure they're up to date, ESPECIALLY if they're visible from the interwebs.
https://www.reddit.com/r/VOIP/comments/dypp36/20191119_critical_freepbx_secu...
I backdated it for those yanks who are living in the past, but it was discovered this morning.
The quick summary is it's a trivial exploit, with the ability to escalate to a root shell - which means a pwned machine, all the attacker needs is unauthenticated visibility to any of the admin pages.
Feel free to hit me up offlist if you need any more info. And yes, it was my code that was vulnerable, but in my defence it was 12 year old code, and the vulnerability was only just discovered now 8)
--Rob
