FreePBX Filestore Command Injection Vulnerability in Endpoint Manager

A post-authentication command injection vulnerability has been identified in the FreePBX Endpoint Manager's filestore module, specifically in versions 17.0.2.36 prior to 17.0.3. This vulnerability allows authenticated users to inject commands via the testconnection -> check_ssh_connect() function. Exploitation of this issue could lead to arbitrary command execution on the server, with the potential for remote access as the asterisk user.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server, potentially leading to unauthorized access as the asterisk user.

Reproduction

To reproduce this vulnerability, an authenticated user must access the FreePBX Administration interface and navigate to the Endpoint Manager filestore module. From there, the user can initiate a connection test that exploits the command injection vulnerability by injecting malicious commands into the SSH connection check process.

Remediation

Users are advised to update the filestore module to version 17.0.3 or later. Additionally, access to the FreePBX Administration Control Panel should be restricted to authorized users only.