##Critical FreePBX RCE Vulnerability (ALL Versions)
CVE: 2014-7235
Date: 2014-09-30
Author: James Finstrom
Ticket: http://issues.freepbx.org/browse/FREEPBX-8070
UPDATE:
Please run the commands in
http://wiki.freepbx.org/display/L1/FreePBX+Security+Scan
We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.
This exploit allows users to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which may then be used to grant the attacker full remote code execution access as the user running the Apache process.
We have released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12 per our security policy which covers releases that have come out over the last 3.5 years. Versions 2.8 and prior can be easily updated to 2.9 or higher through Module Admin which will remove the vulnerability. Versions 2.11 and 12 are the only officially supported versions of FreePBX but we always apply security patches to the two prior versions as well.
FreePBX Distro users can update to either version 5.211.65-19 or 6.12.65-18 depending on which software track they are using, to obtain the latest security patches. PBXact users can update to software version 10.211.65-8 for the fix.
Note that just disabiling the ARI module will not fix this issue on impacted systems.
Users prior to FreePBX 12 should update FreePBX ARI Framework to version 2.11.1.5 immediately.
FreePBX 12 users should disable and uninstall the legacy FreePBX ARI Framework module and switch to the new User Control Panel, which is not to be confused with the previous ‘User Control Panel Tab’.
Please note that indications of a compromised system include the presence of an “System Admin Dashboard” also called “admindashboard” module, the files c2.pl and/or c.sh.
If you are using the FreePBX Distro we have fixed this with upgrade scripts 5.211.65-19 and 6.12.65-18. As always review the wiki here on how to keep your FreePBX Distro system updated.
If these are present then your system has potentially been compromised. You should urgently remove this module via a system shell.
Due to various differences between machines, your AMPWEBROOT may be in /var/www/admin, /var/www/html/admin, or potentially any other place.
To determine the location, if you are unaware, it is visible in the Advanced Settings page, as ‘FreePBX Web Root Dir’. FreePBX Distro based machines are set to ‘/var/www/html’
First, run the command:
rm -rf AMPWEBROOT/admin/modules/admindashboard
replacing the ‘AMPWEBROOT’ with the system setting.
Then run the following command to remove all traces of it from FreePBX
amportal a ma delete admindashboard
There will be an error output saying that uninstallation scripts failed to run, however this is expected, and is signifying that the module was removed successfully.
You must also remove any references to c2.pl or c.sh. which can be found by running the commands:
updatedb
locate c2.pl
locate c.sh
We have also noticed that additional Administrator users may have been created as part of a scripted attack. We urge you to verify that your machine does not have any additional unknown ‘Administrator’ users in the “Administrators” page.
Please note the FreePBX ARI Framework module used an independent authentication scheme and does not relate to the FreePBX authentication settings of none, database or web server.
Remember the best practice to avoid risk is to not expose your system to the public internet.
In FreePBX 12 we have implemented module signing which was a key element in identifying this issue.
Users of FreePBX 12 should always take note of the tamper and/or unsigned module notices that show in their system.
Schmooze Com takes security of FreePBX and our other communications products seriously. In practice there are more eyes on the code in open source software than there are in closed source software, however the truth of the matter is security of any technological product is not determined by the method of distribution. This year’s earlier issues with the Heart-bleed Open SSL security defect brought to light not only how much of an impact open source software has on the entire Internet infrastructure, but emphasized the fact that we must continually improve the tools we provide our developers and community to review and scrutinize our codebase for potential security issues and bugs.
Since it’s inception FreePBX has had source and ticket management tools in place to provide transparency to our users. We continue to make huge investments in time, energy, and infrastructure to continually improve these tools. When security problems are found in open source software, the visibility of the code and ease of use provided by these new management tools allow diverse teams to collaborate and contribute code fixes. Bug and security fixes are often available within a matter of hours.
If you find a potential bug in FreePBX you can open a ticket at issues.freepbx.org
http://vimeo.com/schmooze/freepbx-feature-requests-bug-tickets
Or for potential security related issues, send an email to the security team at [email protected]
CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8
Overall CVSS Score - 6