Can you explain this vulnerability to me?

CVE-2025-67722 is an authenticated local privilege escalation vulnerability in the deprecated FreePBX startup script called 'amportal'. The script looks for a file named 'freepbx_engine' in the /etc/asterisk/ directory, which is typically writable by the 'asterisk' user and members of the 'asterisk' group. A user with membership in the 'asterisk' group can place a malicious 'freepbx_engine' file in this directory. When 'amportal' executes, it runs this file with root privileges, allowing the user to escalate their privileges to root despite not having root access initially. This vulnerability affects FreePBX versions prior to 16.0.45 and 17.0.24, which contain fixes for the issue. Mitigations include restricting membership of the 'asterisk' group to trusted users, checking for suspicious files in /etc/asterisk/, ensuring 'live_dangerously = no' is set in /etc/asterisk/asterisk.conf, and removing unsafe custom dial plan functions that manipulate the filesystem. [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow a local user who is a member of the 'asterisk' group to escalate their privileges to root by placing a malicious 'freepbx_engine' file in the /etc/asterisk/ directory. This means an attacker with local access and group membership can gain full control over the system, compromising confidentiality, integrity, and availability of the affected system. It can lead to unauthorized root-level access, potentially allowing the attacker to execute arbitrary commands, modify system files, and disrupt services. [1]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking for suspicious files named 'freepbx_engine' in the /etc/asterisk/ directory, as any member of the 'asterisk' group could have placed a malicious file there. Use commands like 'ls -l /etc/asterisk/freepbx_engine' to check for the presence and ownership of this file. Additionally, verify the membership of users in the 'asterisk' group with 'getent group asterisk' or 'grep asterisk /etc/group'. Also, check that the setting 'live_dangerously = no' is set or unset (default is no) in /etc/asterisk/asterisk.conf by running 'grep live_dangerously /etc/asterisk/asterisk.conf'. Finally, review any custom dial plan applications or functions that manipulate the filesystem, such as System() or FILE(), to ensure they are not unsafe. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Ensure only trusted local OS users are members of the 'asterisk' group to limit who can write to /etc/asterisk/. 2) Remove or audit any suspicious 'freepbx_engine' files in /etc/asterisk/. 3) Confirm that 'live_dangerously = no' is set or unset (default is no) in /etc/asterisk/asterisk.conf. 4) Eliminate any unsafe custom use of Asterisk dial plan applications and functions that can manipulate the filesystem, such as System() and FILE(). 5) Upgrade FreePBX to version 16.0.45 or 17.0.24 or later, where the vulnerability is fixed. [1]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an authenticated local user with membership in the asterisk group to escalate privileges to root by placing a malicious file in a writable directory. Successful exploitation can compromise the confidentiality, integrity, and availability of the system. Such a compromise could lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate protection of sensitive data and system integrity. Therefore, this vulnerability poses a risk to compliance with these regulations if exploited. [1]

Useful 0 Not Useful 0