Critical FreePBX RCE Vulnerability

FreePBX has just released information regarding a Remote Command Execution (RCE) vulnerability in FreePBX. It affects all verson of FreePBX prior to 12. Here is the full blog article from FreePBX: http://www.freepbx.org/node/92822

Here is the full blog article from FreePBX:

http://schmoozestatus.tumblr.com/post/98855286561/critical-freepbx-pbxact-rce-vulnerability-all

Use the following steps to upgrade to the newest version of FreepBX:

  1. Log into your PBX web interface
  2. Choose Admin / System Admin
  3. Click Updates in the right hand menu
  4. You will need to upgrade to 5.211.65-19 if you are on the stable release and 6.12.65-18 if you are on the beta release.

NOTE: If you do not have the System Admin module installed we offer it for Free.

Or follow the instructions via the FreePBX wiki.

FreePBXhosting.com also recommends that you take this time to perform a module update on your PBX too. Use the Following steps to update the modules on your PBX:

  1. Log into your PBX web interface
  2. Choose Admin / Module Admin
  3. Check the Check Online button

At a minimum you should see an update for FreePBX Framework:

  1. Scroll to the bottom of the page
  2. Click Upgrade all
  3. Scroll to the bottom of the page
  4. Click Process

You will then receive a pop-up box to confirm the updates. Click Confirm and allow the updates to process. When the updates have processed there will be a ‘return’ link. You should then see a red “Apply Config” button in the top menu. Click that to apply the changes.