Unfortunately Asterisk REST Interface was enabled even though I don’t use it.
I can’t understand just one thing, how did an external application gain access without using a login and password? Or am I missing something?
I also went through a similar post in detail - App2 to Dial - Hacked?
This response is like “why didn’t you lock the door?” when someone says they were robbed… not really a helpful question.
I’m also a little concerned with responses (not specifically yours) in other threads that say that the ultimate answer is a firewall.
OK, you should have a firewall, but shouldn’t we also be fixing these exploitable bugs in FreePBX and/or Asterisk?
I am kind of betting on the instances in this thread being old exploits that have since been fixed. What versions are you running, @maxyca and @snaggy ? (fwconsole ma list)
Actually it is. Because if there is no firewall in place, right now, they are exposed to even more trouble.
Well, who said this was a bug or an exploit? This goes back to “do you have a firewall in place” because if the answer, again, is no then that means the bad actor could have actually gotten into the system another way and exposed this. Much like how the age old “thankyou” attack happened. They got into an open system and modified the extensions_custom.conf file.
I mean on every system I’ve looked at, the ARI (which is how Statis is being called) password is around a 64 character password. It’s not like it was set to 123456.
I asked if there is an active firewall because that actually matters on how this could have happened. You are just assuming a bug did this without any sort of data to back up your claim.
The asterisk is installed behind the firewall. Only ports for TLS (all), WebRTC (all), SIP 5060 (only on trusted networks).
The only one thing - active API REST interface.
All passwords are 32 characters with special characters.
I have no idea how an external application could connect. I also wrote to Sangoma, but unfortunately I still have not received a response.
The firewall on FreePBX is turned off because it’s behind another firewall.
Any ideas?
I kinda agree with @BlazeStudios , would like to see some logs . I have seen a few of these “Stasis” intrusion posts now, and most of them admitted their ports have been wide open to the world. Particularly port 8088.
Unfortunately the log file has been cleared. I don’t know why, I decided to clean it up after the invasion. To watch again.
Now I just open 8089 port for WebRTC. So far so good.
Thanks for you link…
I think that in my case there was a problem with the open port 8088 through which an external application stasis was connected.
Now I have closed it. I have only 8089 port (open for everyone) for WebRTC calls from the browser. As long as it’s okay…
FYI, I had 2 systems that had this stasis app abuse & they ONLY had port 8089 open to the public (not 8088), so I suggest you still might be vulnerable.
We use several WebRTC call buttons (call from the website) that use port 8089.
Unfortunately, it must be open to all networks. Any ideas how to protect yourself?
Before FreePBX we use a pfSense firewall with pfBlocker packege which blocks questionable IP addresses.
I personally don’t know how to protect 8089 against being vulnerable to this attack, Sangoma’s own Wiki page says 8089 is ‘Safe to open this up to untrusted networks as the traffic is encrypted with SSL and requires username and password authentication’, however, it wasn’t safe for me on 2 systems & so I’ve had to block it from the outside world (I wasn’t using WebRTC & so it being blocked is not such a deal-breaker for me).
Trying to establish how this attack happened & whether 8089 should be safe to open to the public (like the Wiki suggests) is kinda what the other thread is all about. At the moment its unclear whether the attacker knew/was able to get the default [freepbxuser] password -OR- did they somehow manage to connect without credentials.
I will say this again just in case anyone missed it. Outside of the FreePBX community no one running a pure Asterisk install (or non-FreePBX based projects) has reported or seen any issues with ARI/WebRTC and bypassing any authentication.
And yet it is an ARI hack. So if putting on the table ARI allowed no auth access, which it shouldn’t and thus would be a bug, then Asterisk not hearing about this for the last 3 weeks (since this was reported) is kind of relevant. This would fall under a security flaw and a security release of the current version (ala 18.16.1 or 20.0.1) would be released to fix it.
In other words, Asterisk bugs impact all users of Asterisk, including FreePBX users. FreePBX bugs only impact FreePBX users or those deriving from FreePBX.