FreePBX API Module Privilege Escalation Vulnerability in Versions Prior to 17.0.5 and 16.0.17

A privilege escalation vulnerability has been identified in the FreePBX API module, affecting versions prior to 17.0.5 and 16.0.17. This vulnerability allows authenticated users with REST or GraphQL API access to forge a valid JSON Web Token (JWT) and gain unauthorized access to the APIs. The JWT is signed with the 'api-oauth.key' private key, and an attacker can specify any desired scopes, bypassing standard authorization checks. However, the 'jti' (JWT ID) claim must exist in the database for the token to be accepted, requiring knowledge of a valid 'jti' from the target instance.

Impact

Exploitation of this vulnerability grants full access to the REST and GraphQL APIs on the affected FreePBX instance, potentially allowing for unauthorized actions or data manipulation through the APIs.

Reproduction

To reproduce this vulnerability, an authenticated user must first obtain a valid JWT issued by the FreePBX server. This can be done by intercepting API requests, accessing server logs, or through direct database access. Once a valid JWT is obtained, the 'jti' claim can be extracted and used to forge a new JWT with elevated privileges by including arbitrary scopes. The forged token can then be used to access the REST or GraphQL APIs with the specified permissions.

Remediation

Users can update to FreePBX version 17.0.5 or 16.0.17 to address this vulnerability.