NZNOG’s been a bit quiet lately!
This might be of interest or relevance to NZ Operators, so FYI…
From: AusNOG <ausnog-bounces(a)lists.ausnog.net> On Behalf Of Rob Thomas
Sent: Wednesday, 20 November 2019 4:24 pm
To: <ausnog(a)lists.ausnog.net> <ausnog(a)lists.ausnog.net>
Subject: [AusNOG] Heads up: Super awful FreePBX RCE
If you have any FreePBX machines floating around, now is the time to make sure they're
up to date, ESPECIALLY if they're visible from the interwebs.
I backdated it for those yanks who are living in the past, but it was discovered this
The quick summary is it's a trivial exploit, with the ability to escalate to a root
shell - which means a pwned machine, all the attacker needs is unauthenticated visibility
to any of the admin pages.
Feel free to hit me up offlist if you need any more info. And yes, it was my code that
was vulnerable, but in my defence it was 12 year old code, and the vulnerability was only
just discovered now 8)