Versions prior to 13.0.3 were vulnerable to an issue with the custom port range not being correctly validated, and it was possible for an attacker who had webuser privileges to gain root privileges. This was fixed in 13.0.3, and is now available for automatic upgrades.
This post was written before any of Firewall was working, but is left here for historical interest. The second post has the current status.
For those coming in late, read this thread:
As it was getting a bit long, I thought I’d start a new thread, and update everyone on what’s been happening!
It’s been moving up and down my priority list - as you can see from the commits - but it’s almost at a point where I’m looking for people to actually test it, for real!
The requirements are:
- You need to be running FreePBX 13
- You need to be running a CentOS 6 based Distro (I’ll post more about C7 and firewalld shortly)
- You need to have the Sysadmin RPM package installed.
The Sysadmin RPM package is used to enable limited privilege escalation. I’ll probably redo it so it uses something slightly more portable as I get it working on Debian/Ubuntu and other distros (or someone else can, this is all open source, go wild! Pull requests welcome!)
But, for the moment, this means that if you don’t want to put a bunch of extra work in, a recent FreePBX Distro machine will be the easiest thing for you to test on.
If you’re feeling enthusiastic about testing, please either ping me on IRC (join the #freepbx channel on freenode, and type ‘X-Rob’ or ‘xrobau’, and that’ll attract my attention), or, send me a PM here, or just reply to this thread.
I’m also interested in anyone who has any scripts or things like that to actually ATTACK a SIP server, as I want to do some active testing too. I’ll also be exposing a couple of unfiltered machines to the internet (and publishing their details here) for random attacks, if anyone wants to have a go.
The downside is, I’m off at a Vintage Moto Trials event this weekend, so whilst I will have internet access, I won’t have much of a development environment if everything breaks. You may end up with nothing to play with this weekend! (Edit: It was awesome)
So. Who’s interested?!