CVE-2023-26567 – This vulnerability in Sangoma FreePBX exposes c... (How to Fix)

Q: What is the severity of CVE-2023-26567?

CVE-2023-26567 has a CVSS score of 8.1 (HIGH). This vulnerability in Sangoma FreePBX exposes cleartext database and management interface credentials through global variables. Attackers can retrieve these credentials via API calls, potentially gaining full access to the Asterisk database and management interface. Affects FreePBX installations from version 1805 through 2302 when installed via ISO.

📋 TL;DR

This vulnerability in Sangoma FreePBX exposes cleartext database and management interface credentials through global variables. Attackers can retrieve these credentials via API calls, potentially gaining full access to the Asterisk database and management interface. Affects FreePBX installations from version 1805 through 2302 when installed via ISO.

💻 Affected Systems

Products:

Sangoma FreePBX

Versions: 1805 through 2302

Operating Systems: Linux (specifically FreePBX ISO installations)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations from ISO files; other installation methods may not be vulnerable. The credentials are exposed in global variables accessible via API.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the FreePBX system, allowing attackers to read/modify call data, intercept communications, install backdoors, and pivot to other systems using database credentials.

🟠

Likely Case

Unauthorized access to Asterisk database containing call records, voicemails, and configuration data, plus potential privilege escalation through manager interface access.

🟢

If Mitigated

Limited exposure if API endpoints are properly firewalled and access controls restrict who can query global variables.

🌐 Internet-Facing: HIGH - API endpoints are typically exposed, and exploitation requires only a simple HTTP request.

🏢 Internal Only: HIGH - Even internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial via HTTP requests to /ari/asterisk/variable endpoint. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2303 and later

Vendor Advisory: https://www.freepbx.org

Restart Required: Yes

Instructions:

1. Backup your FreePBX configuration. 2. Update FreePBX to version 2303 or later via the web interface or command line. 3. Restart the FreePBX services. 4. Verify credentials are no longer exposed.

🔧 Temporary Workarounds

Restrict API Access

linux

Block access to the vulnerable /ari/asterisk/variable endpoint using firewall rules or web server configuration.

iptables -A INPUT -p tcp --dport 80 -m string --string '/ari/asterisk/variable' --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string '/ari/asterisk/variable' --algo bm -j DROP

Change Exposed Credentials

linux

Immediately change the AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS credentials in FreePBX configuration.

fwconsole ma refreshsignatures
fwconsole reload

🧯 If You Can't Patch

Implement strict network segmentation to isolate FreePBX from untrusted networks
Deploy a web application firewall (WAF) to block requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Make an HTTP request to http://[freepbx-ip]/ari/asterisk/variable?variable=AMPDBPASS and check if credentials are returned in cleartext.

Check Version:

fwconsole --version

Verify Fix Applied:

After patching, repeat the vulnerable check; it should return an error or empty response instead of credentials.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /ari/asterisk/variable endpoint in web server logs
Unusual database access from unexpected IP addresses

Network Indicators:

HTTP GET requests with query parameters for AMPDBPASS, AMPMGRPASS, etc.
Sudden spikes in API calls to FreePBX

SIEM Query:

source="apache_access.log" AND uri_path="/ari/asterisk/variable" AND query_string="*variable=AMP*"

📊 Metadata

CVE ID: CVE-2023-26567

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-522

Published: April 26, 2023

Last Updated: February 3, 2025

🔗 References

https://qsecure.com.cy/resources/advisories/sangoma-freepbx-linux-insecure-permissions Third Party Advisory
https://www.freepbx.org Product
https://www.sangoma.com/products/open-source/ Product
https://qsecure.com.cy/resources/advisories/sangoma-freepbx-linux-insecure-permissions Third Party Advisory
https://www.freepbx.org Product
https://www.sangoma.com/products/open-source/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26567, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

Freepbx Linux 7 by Sangoma

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict API Access

Change Exposed Credentials

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities