The list is a little longer than I would have expected, and the majority of them are years old.
I’m guessing the FreePBX developers are already aware of these vulnerabilities, so I’m hoping it’s possible to find a complete list of CVE vulnerabilities in FreePBX and whether they have been addressed or not.
The ones I sampled don’t seem to be in FreePBX, although they may be in the SNG7 Linux distribution. Also most or all the ones I sampled don’t seem to be exploitable purely remotely. Quite a few seem to be Apache problems that are only exploitable if third party scripts are installed, which might be an issue for a public web host, but probably not for an embedded one.
Thank you so much, @david55. This is exactly why I was hoping there was a central place to find a list of known CVEs for FreePBX and their status. I suspect most of these are not exploitable in the standard FreePBX/SNG7 distro.
FWIW, the Corvus report lists all 16 of these CVEs as “Apache httpd” vulnerabilities with one being flagged as critical and the other fifteen marked as high.
I’m a little confused because that page identifies vulnerabilities and has NIST CVSS scores, but does not show any CVE identifiers (that I could find). According to the About the CVE Program page: “Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.”
Does anyone know where to find the corresponding CVE-ID for each of the identified vulnerabilities? Or, maybe there is a reason these vulnerabilities are not in the CVE database?
If anyone knows how to reach @tm1000, I’d love to ask him to add the “Official Bug ticket” ID and in what version(s) of FreePBX it was fixed for each of the vulnerabilities on the List of Securities Vulnerabilities page so you don’t have to click in to each one individually to find that important info.
Until Sangoma gets off their butt and moves off CentOS 7, nothing will make this better. FreePBX 16 is a half assed step to get around CentOS 7, because they manually added PHP7 to their repos, but they did not manually update much else.
Without looking at the detail of each CVE, most will generally not be anything that is actually important unless the system is publicly available to the wider internet. So it will be busywork on your side to push back against idiotic, formulaic, nonsense from the insurance company.
@dicko, thank you so much for the link. I’m reluctant to get too far away from the standard FreePBX install and configuration though since it makes it harder to get help when things are all custom rolled. But, if the insurance company plays hardball, it’s good to know I have a workable path forward.
Is there anyone trying to bring FreePBX into the modern world? Where’s the main thread on this issue, dicko? This is definitely off topic from my OP asking for a list of FreePBX CVE vulnerabilities, but it’s definitely important. (Five of the open CVEs are from 2016. )
Are we talking FreePBX or Sangoma’s FreePBX ‘distro’ ?
Apart from the asterisk macro thing (the pot and the kettle live next door now, go figure ), FreePBX itself can happily now run with current open-source OS’s, PHP 7.4 Fail2Ban 0.11 OpenSSL 1.1.1n , current apache 2.4.54 nginx 1.22.0
Incron and cron like services are better handled by systemd
If you rely on any commercially licensed modules including sysadmin or the firewall, then they have you by the short and curlies
Simple version number scanners see Apache/2.4.6 and do not see that it has had patches applied to it through the RedHat backport process.
Apache 2.4.6 isn’t really 2.4.6…
# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Apr 2 2020 13:13:23
[[email protected] ~]# rpm -q httpd
it’s actually Apache 2.4.6-93! (on a fully-updated FreePBX distro)
As you can see it was compiled in April 2020 so this should satisfy the Apache CVEs before then (you’d have to go through the release notes and check), though you have several on your list that were published after April 2020, so those obviously aren’t resolved.
@billsimon, thanks, and I couldn’t agree more. In fact, that is exactly what I wrote back to the insurance company about their Corvus scan.
My issue here is that without someplace for us to go to to get a definitive list of known vulnerabilities, we’re all just guessing about our security position. I’m hoping others would like CVE numbers added to the List of Securities Vulnerabilities page.
FWIW, here’s what my system has to say about package versions:
Looks like we have a fully-updated FreePBX distro. Woo hoo!
That still doesn’t get us to the 2.4.54 release where all eight of the identified apache vulnerabilities have been addressed.
FWIW, I did go through all of the official Apache release notes. The fixes aren’t incorporated on a date of compilation, but on a release number. So, the CVEs before April 2020 have definitely not been addressed.