FreePBX Backup Module Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the FreePBX backup module, affecting versions prior to 16.0.71 and 17.0.6. The issue arises because the module does not properly sanitize data during backup restore operations. When a user-supplied tar archive is restored, any malicious files within the archive are read and passed directly to the unserialize() function without validation or integrity checks. This flaw allows for remote code execution on the server, under the web server user, typically 'asterisk' or 'www-data'. Exploitation does not require shell or CLI access, and the necessary filesystem permissions are limited to the standard restore process. However, authentication with a user account that has the appropriate access rights and permission to write backup files is required.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where FreePBX is running, with the executed code running as the web server user, which is usually 'asterisk' or 'www-data'.

Remediation

Users can update the FreePBX backup module to version 16.0.71 or 17.0.6, depending on their FreePBX version. After updating, it is recommended to review the authenticity of backup files and ensure that only trusted users have access to the FreePBX Administrator Control Panel.