We just had a security audit and a number of vulnerabilities were flagged on our FreePBX 13 install, related to running an older apache httpd version - 2.2.15. Here’s an example:
Apache HTTPD: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167) (apache-httpd-cve-2017-3167)
Description: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.
Are there plans to update to a more recent version for the new distro built on FreePBX 14 and SNG7?
In general, is there an easy way to see what RPM versions are in SNG7?
The OP put so much emphasis on the version numbers that I was sure we were talking of a tool that only query version numbers and does not actually test if the vulnerability is actually there…
There are tools that actually test for vulnerabilities, I get bombarded with emails each time such a test is run on one of the systems at work… We block every single one of those hack attempts and I wish I could act on detecting it’s an hack attempt fail2ban-style but I am not allowed to act on it…
(They would not be able to test for all the vulnerabilities if I blocked them as soon as I detected an hack attempt…)
I worded my sentence like it was a question but I was pretty pretty sure of the answer…
The OP did mention that this was only an example and that there were others but they are more than likely already all addressed with the package we have…
There is a little something I will have to check if there’s a ticket or a newer package for but it’s something that I doubt many people use and you almost need physical access to the system to be able to do anything…
Thank you all for taking the time on Friday afternoon to answer. I was definitely skeptical and their focus seemed to be on generating as much paper (OK, as large a PDF) as possible.
It will be interesting to see if they will disclose what actual testing they did, versus grabbing the version number. I (naively) assumed they were checking patch levels.