FYI, I had 2 systems that had this stasis app abuse & they ONLY had port 8089 open to the public (not 8088), so I suggest you still might be vulnerable.
We use several WebRTC call buttons (call from the website) that use port 8089.
Unfortunately, it must be open to all networks. Any ideas how to protect yourself?
Before FreePBX we use a pfSense firewall with pfBlocker packege which blocks questionable IP addresses.
I personally don’t know how to protect 8089 against being vulnerable to this attack, Sangoma’s own Wiki page says 8089 is ‘Safe to open this up to untrusted networks as the traffic is encrypted with SSL and requires username and password authentication’, however, it wasn’t safe for me on 2 systems & so I’ve had to block it from the outside world (I wasn’t using WebRTC & so it being blocked is not such a deal-breaker for me).
Trying to establish how this attack happened & whether 8089 should be safe to open to the public (like the Wiki suggests) is kinda what the other thread is all about. At the moment its unclear whether the attacker knew/was able to get the default [freepbxuser] password -OR- did they somehow manage to connect without credentials.
I will say this again just in case anyone missed it. Outside of the FreePBX community no one running a pure Asterisk install (or non-FreePBX based projects) has reported or seen any issues with ARI/WebRTC and bypassing any authentication.
And yet this IS the FreePBX community, as yet , no substantive answer . . .
And yet it is an ARI hack. So if putting on the table ARI allowed no auth access, which it shouldn’t and thus would be a bug, then Asterisk not hearing about this for the last 3 weeks (since this was reported) is kind of relevant. This would fall under a security flaw and a security release of the current version (ala 18.16.1 or 20.0.1) would be released to fix it.
In other words, Asterisk bugs impact all users of Asterisk, including FreePBX users. FreePBX bugs only impact FreePBX users or those deriving from FreePBX.
For now, we have decided to temporarily close port 8089 from abandoning webrts.
I’m pretty sure this hack is a user authentication bypass for [freepbxuser]
As you rightly noted [MAWalker]
In our installation, we use passwords of 32 characters (letters, numbers, special characters). Even for extensions.
I’m sure it’s a real backdoor that’s still open.
Asterisk 16.28.0
FreePBX 16.0.33
1 Like
Our current thinking is summarized here Recent reports of ARI exploit on FreePBX systems - #2
1 Like
Why in the world was this post flagged? Seriously. Me asking what version of Asterisk they had to I could try and replicate their issue was something that needed flagging?
GDJFC maybe ?
Oh I see, I can’t express any feelings. Got it.
Feelings accepted, nastiness less so ,honey vs vinegar . . , BAAMYSTYT
I’m going to do clean install Asterisk & FreePBX on Ubuntu 22.04 without all commercial modules which I absolutely do not need.
Just a single module - sysadmin. But I’m ready to give it up. Now it’s funny for me to watch unthinkable firewall settings in FreePBX.
I completely revised the security policy on the firewall before PBX.
And what is unthinkable about it? Seriously.
And if the only module wanted is sysadmin, then you are SOL on Ubuntu
- I really don’t like this module because I find the settings for trusted networks and hosts completely absurd.
- All I needed was solved by fail2ban.
In addition, I definitely recommend using a firewall before PBX.
For example pfSense.
The built-in firewall has already shown its “efficiency”. That a third-party application can easily connect like AMI (Stasis).
In this module it’s just convenient to set up email notification settings. No more.
It is not even capable of listening on the SNMP port to properly shut down the server.
I am not sure you fully understand how firewalls work.
I know how it works.
I said that I don’t like how it works. And how it is implemented in general.