CVE-2019-15059
📋 TL;DR
CVE-2019-15059 allows unauthenticated remote attackers to download Liberty lisPBX configuration backup files containing sensitive PBX information. This affects Liberty lisPBX 2.0-4 installations with default configurations. Attackers can retrieve extension numbers, contacts, and passwords without any authentication.
💻 Affected Systems
- Liberty lisPBX
📦 What is this software?
Lispbx by Lispbx Project
Lispbx by Lispbx Project
⚠️ Risk & Real-World Impact
Worst Case
Complete PBX compromise including credential theft, unauthorized call routing, toll fraud, and data exfiltration of all PBX configuration and call records.
Likely Case
Attackers download configuration files containing passwords and extension details, leading to unauthorized access to PBX systems and potential call interception.
If Mitigated
If proper access controls are implemented, attackers cannot reach backup directories and sensitive data remains protected.
🎯 Exploit Status
Exploitation requires only HTTP GET requests to specific predictable URLs. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
No official patch available. Upgrade to newer version if available or implement workarounds.
🔧 Temporary Workarounds
Restrict access to backup directory
linuxConfigure web server to block access to /backup/ directory
# For Apache: Add to .htaccess or virtual host config
<Directory "/path/to/lispbx/backup">
Order deny,allow
Deny from all
</Directory>
# For Nginx: Add to server block
location /backup/ {
deny all;
return 403;
}
Move backup files outside web root
linuxChange backup location to directory not accessible via web
# Edit Liberty lisPBX configuration to change backup path
# Check configuration files for backup directory settings
🧯 If You Can't Patch
- Implement network segmentation to restrict access to PBX web interface
- Deploy web application firewall (WAF) rules to block requests to /backup/ paths
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[PBX_IP]/backup/lispbx-CONF-YYYY-MM-DD.tar or http://[PBX_IP]/backup/lispbx-CDR-YYYY-MM-DD.tar (replace YYYY-MM-DD with recent dates). If files download without authentication, system is vulnerable.Check Version:
Check Liberty lisPBX web interface or configuration files for version informationVerify Fix Applied:
Attempt same URLs after implementing workarounds. Should receive 403 Forbidden or similar access denied response.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /backup/ paths in web server logs
- Unusual file downloads from backup directory
Network Indicators:
- HTTP GET requests to /backup/lispbx-*.tar patterns
- Traffic to backup files from unauthorized IPs
SIEM Query:
web_access AND (url CONTAINS '/backup/lispbx-' AND url ENDS WITH '.tar')