Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application

Vendor: Sangoma Technologies
Vendor URL: https://freepbx.com
Versions affected: FreePBX 13, 14, and 15
Systems Affected: FreePBX UCP application
Author: Bill Marquette
Advisory URLs:
SEC-2020-06: https://wiki.freepbx.org/display/FOP/2020-08-17+SQL+Injection+In+cel+module
SEC-2020-07: https://wiki.freepbx.org/display/FOP/2020-08-17+SQL+Injection+In+cdr+module
Risk: High

Summary:

The User Control Panel (UCP) application is vulnerable to multiple authenticated SQL Injection vulnerabilities which can result in the compromise of administrative accounts as well as the PBX appliance itself.

FreePBX has a sizable install base, with Shodan showing over 32 thousand public results for the Sangoma Apache server header. The UCP application in FreePBX provides a way for users to control call handling and personal settings from the web browser. Inside UCP a user can change their Call Forwarding, Call Waiting, Do Not Disturb, Follow Me settings, access voicemail, and view call history.

Location:

  • /ucp/ajax.php?module=cel&command=grid
  • /ucp/ajax.php?module=cdr&command=grid

Impact:

It is possible to create a new administrative user and utilize functionality available in the administration application to gain access to the underlying operating system.

Details:

cel module:
The ajaxHandler() function in /var/www/html/ucp/modules/Cel/Cel.class.php, when provided the ‘grid’ command, passes the $_REQUEST variable containing all URL parameters to the cel_getreport() function in /var/www/html/admin/modules/cel/Cel.class.php. This function subsequently extracts the $_REQUEST array into local function variables which are then concatenated into SQL queries allowing for injection of arbitrary SQL.

cdr module:
The ajaxHandler() function in /var/www/html/ucp/modules/Cdr/Cdr.class.php, when provided the ‘grid’ command, passes the $_REQUEST[‘limit’] parameter to the getCalls() function in /var/www/html/admin/modules/cdr/Cdr.class.php. The contents of the parameter are then concatenated directly on the end of a SELECT statement allowing for injection of arbitrary SQL.

While the use of the mysqli extension is common for PHP applications, FreePBX makes use of the PDO extension which provides a consistent interface for accessing multiple databases. The impact of SQL injection vulnerabilities with the PDO extension is largely increased as the extension allows SQL commands to be stacked. Stacked queries enable attackers to easily append data modification queries such as UPDATE, INSERT, and DELETE to SELECT statements.

Recommendation:

Sangoma has released updated cel and cdr modules addressing these vulnerabilities for FreePBX versions 13, 14, and 15. The currently installed module version can be verified in the Module Admin GUI with the below table listing the earliest fixed version for the referenced module. Specific upgrade details can be found in the linked advisories from Sangoma.

cel modulecdr module
FreePBX 1313.0.26.1213.0.35
FreePBX 1414.0.414.0.5.22
FreePBX 1515.0.15.1015.0.17.2

In the event that the module upgrade cannot be performed in an acceptable time frame, disabling the UCP interface will mitigate the vulnerabilities at the cost of the functionality provided by the UCP.

Vendor Communication:

  • 6/5/20: Emailed FreePBX & Sangoma security asking for security contact details.
  • 6/5/20: Sangoma security confirmed their contact details.
  • 6/5/20: Disclosed issue to FreePBX security email per published documentation.
  • 6/11/20: Disclosed issue to Sangoma security after initial email to FreeBPX timed out.
  • 6/11/20: Sangoma acknowledged that issue had been received and was being reviewed.
  • 6/16/20: Received confirmation from Sangoma that they were able to replicate identified vulnerabilities and that a timeline for remediation was being reviewed.
  • 8/17/20: Sangoma announced advisories SEC-2020-006 & SEC-2020-007 addressing the vulnerabilities disclosed in this advisory. Updates for the cel and cdr modules addressing these issues have been made available for FreePBX 13, 14, and 15.

Thanks to:

The security team at Sangoma for their responsive communication.

About NCC Group:

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate and respond to the risks they face.

We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.