Login Sign Up

CVE-2021-43404

8.8 HIGH
Path Traversal

📋 TL;DR

FusionPBX before version 4.5.30 contains a filename sanitization vulnerability in FAX file handling. Attackers can exploit risky characters in FAX filenames to potentially execute arbitrary code or access unauthorized files. This affects all FusionPBX installations running vulnerable versions.

💻 Affected Systems

Products:
  • FusionPBX
Versions: All versions before 4.5.30
Operating Systems: Linux, Unix-based systems
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with FAX functionality enabled. FusionPBX is typically deployed on FreePBX/Debian-based systems.

📦 What is this software?

Fusionpbx by Fusionpbx

View all CVEs affecting Fusionpbx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.

🟠

Likely Case

File system access allowing reading/writing of sensitive files, directory traversal, or limited command execution.

🟢

If Mitigated

No impact if proper input validation and file path restrictions are implemented.

🌐 Internet-Facing: HIGH - FAX functionality may be exposed to external users, allowing remote exploitation.
🏢 Internal Only: MEDIUM - Internal users could exploit the vulnerability if they have FAX access permissions.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to FAX functionality. The commit suggests filename sanitization issues that could lead to path traversal or command injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.30 and later

Vendor Advisory: https://github.com/fusionpbx/fusionpbx/commit/487afc371e5c0dfbbc07cd002333c5bcd949d0f4

Restart Required: No

Instructions:

1. Backup your FusionPBX configuration and database. 2. Update FusionPBX to version 4.5.30 or later using the upgrade script. 3. Verify the fix by checking the version and testing FAX functionality.

🔧 Temporary Workarounds

Disable FAX functionality

linux

Temporarily disable FAX features until patching is possible

# Edit FusionPBX configuration to disable FAX modules
# Remove or comment FAX-related configurations in /etc/fusionpbx/config.php

Implement file upload restrictions

linux

Add web server rules to restrict FAX file uploads

# Add to Apache/Nginx configuration:
location ~ \.fax$ { deny all; }

🧯 If You Can't Patch

  • Implement strict input validation for all FAX filename inputs
  • Deploy WAF rules to block malicious filename patterns and path traversal attempts

🔍 How to Verify

Check if Vulnerable:

Check FusionPBX version: php /var/www/fusionpbx/resources/functions.php | grep version

Check Version:

php /var/www/fusionpbx/resources/functions.php | grep 'version'

Verify Fix Applied:

Confirm version is 4.5.30 or higher and test FAX upload with special characters in filename

📡 Detection & Monitoring

Log Indicators:

  • Unusual FAX file upload attempts with special characters
  • Failed file operations in FAX directories
  • Web server errors related to file path resolution

Network Indicators:

  • HTTP requests to FAX endpoints with encoded characters in filenames
  • Unusual file upload patterns to FAX interfaces

SIEM Query:

source="fusionpbx.log" AND ("fax" AND (".." OR "%" OR "|" OR ";"))

📊 Metadata

CVE ID: CVE-2021-43404
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: November 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON