FreePBX Privilege Escalation Vulnerability in Deprecated amportal Script

A local privilege escalation vulnerability has been identified in FreePBX versions prior to 16.0.45 and 17.0.24. The issue resides in the deprecated startup script 'amportal', where it executes files with root permissions from the 'freepbx_engine' file located in writable directories of the 'asterisk' user and group. This allows members of the 'asterisk' group to create a 'freepbx_engine' file that 'amportal' will execute as root, leading to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows for authenticated local users to escalate privileges, executing arbitrary commands with root permissions.

Remediation

Users can update to FreePBX versions 16.0.45 or 17.0.24, where this vulnerability has been patched. Additionally, it is recommended to verify that only trusted users are in the 'asterisk' group, check for suspicious files in the '/etc/asterisk/' directory, ensure that 'live_dangerously = no' is set in the 'asterisk.conf' file, and remove any unsafe custom Asterisk dial plan applications that could manipulate the file system.