Sangoma’s Official Response: Re: Palo Alto Jul 15 2022 PBX Security Blog Post | FreePBX - Let Freedom Ring
I genuinely can’t figure out what I’m reading here. Initially I thought the writer had confused the word ‘elastix’ with the word ‘asterisk’, easy enough to do I suppose, but given the gravity of the subject, one expects more attention to detail. There is also obvious confusion between the digium_phones FreePBX module and hardware phones manufactured by Digium.
I believe this is just a rehash of the CVE from 2020 (and the regression from 2021) both of which are documented and patched. But that exploit involved Phone Apps, not the digium_phones module, and since Elastix is involved in this report somehow, it wouldn’t have been able to support the Phone Apps module. In any case, since Elastix went end of life in 2016, the fact that they can exploit an Elastix system (if in fact that’s what they did) isn’t newsworthy in the slightest.
If nothing else, this report is a wakeup call to anyone running an old Elastix system in production. It’s long past time to decommission it. You can move to a current version of FreePBX and get much the same operation that you’re used to in a fully supported system.
Unfortunately I don’t see anything that FreePBX Engineering can do with this report. We have no reports of issues with the digium_phones module nor do we have other reports of currently exploitable code. There was no effort on the part of the publisher to reach out to FreePBX or Sangoma for comment (that I can find) and there is much conflicting detail and outright incorrect statements. It’s a mishmash of nonsense. Unless someone is able to translate this report into something we can work with, we have no choice but to dismiss this as clickbait. Security issues for any Sangoma product can be reported by emailing [email protected].
edit - others find it confusing as well: WebRTC 0day, FreePBX not Asterisk attacks and talks at MCH2022 – Communication Breakdown - Real-Time Communications Security