This is a very confusing read and still not sure what they are actually reporting here. @lgaetz Can you make sense of this?
https://unit42.paloaltonetworks.com/digium-phones-web-shell/
3 Likes
This whole paragraph makes no sense.
Unit 42 observed another operation that targets the Elastix system used in Digium phones
Huh Digium phones do not use elastix anywhere. I am so confused.
The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target’s Digium phone software (a FreePBX module written in PHP). In terms of the timeline, the web shell appears to be correlated to the remote code execution (RCE) vulnerability CVE-2021-45461 in the Rest Phone Apps (restapps) module.
Rest Phone Apps have nothing to do with the Digium Phone module. I just can not make sense of what they are trying to state in all this.
1 Like
Got this in my Google Feed this morning: Hackers Targeting VoIP Servers By Exploiting Digium Phone Software
I speculate that they are referring to this bug that was previously patched, but was discovered again by @billsimon
Ya excerpt that module was never on or installed In Elastix systems as it’s a commercial module.
Secondly they CVR has nothing to do with the Digium Phone module they reference.
None of this makes sense.
1 Like
Looks like nothing more than the old exploit being written about by people who don’t know the technology. Does not inspire me to trust PAN for VoIP network security.
3 Likes
And bleeping computers repeating the same confusing info. Elastix VoIP systems hacked in massive campaign to install PHP web shells
These are the same guys (squitters) as :-
I’m surprised to see that there are still 500000 Elastix systems out there , I bet @franckdanard is also 
ASN 213371 has long been dropped here.
Sorry @dicko you are wrong. 
Since I left IT’TEK, I migrated my system to FreePBX 14 and next 15.
I kept the old box Elastix 2.5 for the fun though (Still off righ now)
However, I think the most of old Elastix 2.5 systems have been migrated to Isabel 4.0, and the rest to the FreePBX systems. How many systems have been migrated to Elastix (3CX)? I will be curious to know!
Sangoma’s Official Response: Re: Palo Alto Jul 15 2022 PBX Security Blog Post | FreePBX - Let Freedom Ring
I genuinely can’t figure out what I’m reading here. Initially I thought the writer had confused the word ‘elastix’ with the word ‘asterisk’, easy enough to do I suppose, but given the gravity of the subject, one expects more attention to detail. There is also obvious confusion between the digium_phones FreePBX module and hardware phones manufactured by Digium.
I believe this is just a rehash of the CVE from 2020 (and the regression from 2021) both of which are documented and patched. But that exploit involved Phone Apps, not the digium_phones module, and since Elastix is involved in this report somehow, it wouldn’t have been able to support the Phone Apps module. In any case, since Elastix went end of life in 2016, the fact that they can exploit an Elastix system (if in fact that’s what they did) isn’t newsworthy in the slightest.
If nothing else, this report is a wakeup call to anyone running an old Elastix system in production. It’s long past time to decommission it. You can move to a current version of FreePBX and get much the same operation that you’re used to in a fully supported system.
Unfortunately I don’t see anything that FreePBX Engineering can do with this report. We have no reports of issues with the digium_phones module nor do we have other reports of currently exploitable code. There was no effort on the part of the publisher to reach out to FreePBX or Sangoma for comment (that I can find) and there is much conflicting detail and outright incorrect statements. It’s a mishmash of nonsense. Unless someone is able to translate this report into something we can work with, we have no choice but to dismiss this as clickbait. Security issues for any Sangoma product can be reported by emailing [email protected].
edit - others find it confusing as well: WebRTC 0day, FreePBX not Asterisk attacks and talks at MCH2022 – Communication Breakdown - Real-Time Communications Security
6 Likes
Ok so I am not a idiot here as I really struggled to understand what they were actually reporting was. Glad to hear it wasn’t just me.
3 Likes
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.