False positive detection of CVE-2020-10666 (FreePBX RCE)

stsimb · August 10, 2021, 11:31am

Hello,

I’m using gvm 21.6.1 on kali linux.

I believe there is a false positive in the detection of CVE-2020-10666.
“FreePBX 13.x <= 13.0.93.2, 14.x <= 14.0.22.2, 15.x <= 15.0.19.2 RCE Vulnerability”

The file is plugins/2021/freepbx/gb_freepbx_rce_vuln_mar20.nasl.

If one reads the vendor URL about this ->
https://wiki.freepbx.org/display/FOP/2020-03-12+SECURITY%3A+Potential+Rest+Phone+Apps+RCE
you will see that the vulnerability exists in “restapps” (a commercial module) and not the core freepbx framework itself.

The plugin gets the version of freepbx (core framework), not the restapps module.

Because the latest version of freepbx core framework is 15.0.17.43 (at the time of writing), which is <15.0.19.2 that is the fixed restapps module version, the script falsely reports the freepbx installation as vulnerable.

How can this be fixed in a future version of the detection script?
Thanks!

cfi · August 12, 2021, 11:10am

Hey,

thanks a lot for this detailed posting and the throughout analysis.

The first step was was already done: Creating this posting

Next step is now: The posting needs to be evaluated / handled by a feed team member. I have created an internal issue about this task a few minutes ago, a member of the feed team might come up with additional questions or information about this.

_ad · August 17, 2021, 10:19am

Hey,

again, thanks for bringing this to our attention. You’re absolutely correct: The vulnerability range is not about the core product, but a FreePBX module.

Currently there is no way to detect a list of installed modules (as they can only be obtained post authentication), so this VT might probably get deprecated in the near future.

Cheers.

stsimb · August 17, 2021, 10:22am

Thank you very much for looking into this and confirming.

Until it’s deprecated, I’ll probably make it as a false positive in our installation.

Cheers,
Sot.