FreePBX | Register | Issues | Wiki | Portal | Support

Critical FreePBX RCE Vulnerability (ALL Versions) CVE-2014-7235


(TheJames) #1

##Critical FreePBX RCE Vulnerability (ALL Versions)

CVE: 2014-7235
Date: 2014-09-30
Author: James Finstrom
Ticket: http://issues.freepbx.org/browse/FREEPBX-8070

UPDATE:
Please run the commands in
http://wiki.freepbx.org/display/L1/FreePBX+Security+Scan

We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.

This exploit allows users to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which may then be used to grant the attacker full remote code execution access as the user running the Apache process.

We have released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12 per our security policy which covers releases that have come out over the last 3.5 years. Versions 2.8 and prior can be easily updated to 2.9 or higher through Module Admin which will remove the vulnerability. Versions 2.11 and 12 are the only officially supported versions of FreePBX but we always apply security patches to the two prior versions as well.

FreePBX Distro users can update to either version 5.211.65-19 or 6.12.65-18 depending on which software track they are using, to obtain the latest security patches. PBXact users can update to software version 10.211.65-8 for the fix.
Note that just disabiling the ARI module will not fix this issue on impacted systems.

Users prior to FreePBX 12 should update FreePBX ARI Framework to version 2.11.1.5 immediately.

FreePBX 12 users should disable and uninstall the legacy FreePBX ARI Framework module and switch to the new User Control Panel, which is not to be confused with the previous ‘User Control Panel Tab’.
Please note that indications of a compromised system include the presence of an “System Admin Dashboard” also called “admindashboard” module, the files c2.pl and/or c.sh.

If you are using the FreePBX Distro we have fixed this with upgrade scripts 5.211.65-19 and 6.12.65-18. As always review the wiki here on how to keep your FreePBX Distro system updated.

If these are present then your system has potentially been compromised. You should urgently remove this module via a system shell.
Due to various differences between machines, your AMPWEBROOT may be in /var/www/admin, /var/www/html/admin, or potentially any other place.
To determine the location, if you are unaware, it is visible in the Advanced Settings page, as ‘FreePBX Web Root Dir’. FreePBX Distro based machines are set to ‘/var/www/html’
First, run the command:

rm -rf AMPWEBROOT/admin/modules/admindashboard

replacing the ‘AMPWEBROOT’ with the system setting.
Then run the following command to remove all traces of it from FreePBX

amportal a ma delete admindashboard

There will be an error output saying that uninstallation scripts failed to run, however this is expected, and is signifying that the module was removed successfully.

You must also remove any references to c2.pl or c.sh. which can be found by running the commands:

updatedb
locate c2.pl
locate c.sh

We have also noticed that additional Administrator users may have been created as part of a scripted attack. We urge you to verify that your machine does not have any additional unknown ‘Administrator’ users in the “Administrators” page.

Please note the FreePBX ARI Framework module used an independent authentication scheme and does not relate to the FreePBX authentication settings of none, database or web server.

Remember the best practice to avoid risk is to not expose your system to the public internet.

In FreePBX 12 we have implemented module signing which was a key element in identifying this issue.


Users of FreePBX 12 should always take note of the tamper and/or unsigned module notices that show in their system.

Schmooze Com takes security of FreePBX and our other communications products seriously. In practice there are more eyes on the code in open source software than there are in closed source software, however the truth of the matter is security of any technological product is not determined by the method of distribution. This year’s earlier issues with the Heart-bleed Open SSL security defect brought to light not only how much of an impact open source software has on the entire Internet infrastructure, but emphasized the fact that we must continually improve the tools we provide our developers and community to review and scrutinize our codebase for potential security issues and bugs.

Since it’s inception FreePBX has had source and ticket management tools in place to provide transparency to our users. We continue to make huge investments in time, energy, and infrastructure to continually improve these tools. When security problems are found in open source software, the visibility of the code and ease of use provided by these new management tools allow diverse teams to collaborate and contribute code fixes. Bug and security fixes are often available within a matter of hours.

If you find a potential bug in FreePBX you can open a ticket at issues.freepbx.org

http://vimeo.com/schmooze/freepbx-feature-requests-bug-tickets

Or for potential security related issues, send an email to the security team at security@freepbx.org

CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score  - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8
Overall CVSS Score - 6

Possible security exploit in /admin/modules/admindashboard/phpsysinfo/common_admin_functions.php
FreePBX Hacker, help please!
After doing a yum update and upgrading all the modules on free pbx, GUI now displays Blank Screen
Hacked via /tmp perl scripts
Can't login invalid password /admin 403 forbidden
(TheJames) #4

This topic is now a banner topic. It will appear at the top of every page until it is dismissed by the user.


(TheJames) pinned #5

(TheJames) unpinned #6

(TheJames) pinned globally #7

(td1984r) #8

Hello,

Can you please help out regarding this critical update of ARI
Framework on Elastix system. I cannot update Freepbx to version 2.9
since Elastix latest stable release 2.4.0 uses Freepbx 2.8

I already tried upgrade and force it, but it brakes Elastix and web interface without possibility of recovery.

Is there a way to patch ARI framework on freePBX 2.8 without upgrading to ver 2.9?

Thank you very much.

Slaven.


(Tony Lewis) #9

You would need to talk with Elastix since they are using a old and unsupported version of FreePBX that has not been supported in a long time.


(TheJames) #10

Elastix has a bug up you may wish to participate in http://bugs.elastix.org/view.php?id=2003


(TheJames) #11

Please be aware that the files mentioned in this post are the only known exploit in the wild. When a notice like this goes live the code monkeys review the patch and go to work building their own ways to exploit the vulnerability. Dont assume because these files aren’t present that you are safe. If you haven’t updated you are still exposed. If you find other exploit signatures please let us know.


Hack again from shell shock (recordings/index.php)
(Boris) #12

I also have been hacked by this vulnerability. And the interesting thing - I did never trust freepbx web interface and did not want to have it available from the internet BUT…
but I could not block 80 port completely because I need to have other sites available.
So in the /etc/httpd/conf.d/freepbx.conf I have changed “Allow from All” to “Allow from 127.0.0.1 192.168.0”. Everything was fine until one update replaced it with “clean” freepbx.conf with 'allow all".
You are doing security settings but update just removes them. Very nice!


(TheJames) #13

This vulnerability has nothing to do with the FreePBX webui it is within a 3dr party component we include called the Asterisk Recording Interface Framework. With 12 we have deprecated use of this component in favor of our own solution the UCP. Generally you would never make changes to any packaged config because updating of it’s parent package will nuke your changes. Also Apache is not the correct place to be blocking/allowing IP addresses. If they have gotten to apache they are already in even if apache says no. Access control should be done ideally at the edge of your network If your PBX is at the edge of your network for some odd reason then use IPTables to control IP based access.


(Boris) #14

Apache is good enough to restrict access for virtual sites. It was not problem with Apache, it was problem with update that replaced security file. It’s like iptables update cleans all iptables rules. If conf file is changed normal behavior to keep it and rename new file to “rpmnew”.


(Bob Reiber) #15

I see that the distro on the downloads page is still 5.211.65-16, maybe that should be -19?


(Tony Lewis) #16

It already has been updated. Looks like someone forgot to update the text. Will do that now but it does install -19


#17

How do I know that the issue is resolved?
FreePBX 2.11


(Harry Tran) #18

I updated Freepbx distro but attacker created freepbx admin user, and I can not delete it. Pleae help me with this

attacker admin user: mgknight


#19

Same issue as harrytran. I’ve got a user mgknight that I cannot delete. Any help appreciated.

Thanks!
Westley


(Tony Lewis) #20

Were your systems updated before these users were created.


#21

No for me. I tried deleting both before and after updating.

Westley


(Andrew Nagy) #23

What happens when you try to delete it?