IncrediblePBX RCE (FIX AVAILABLE)

We were recently informed of an exploit on one of the PBX in a Flash add-ons used with IncrediblePBX, and have detected that this attack is being used in the wild. The exploit must get through PIAF’s http authentication but it’s common to find systems that use the default installation password which is widely known.

This module is not used on any FreePBX Distros nor is it available from our online repository, but since there is a population of PIAF users who may be affected by this we want to make sure everyone is aware of the issue.

Additionally, if you have changed your machine from a PIAF machine to a FreePBX machine and not removed this module, you will also be vulnerable.

If you do not use IncrediblePBX and have not added on any of its components you may generally ignore this.

Users should make sure they are not using the default or other insecure password.
Users should update as soon as the IncrediblePBX developers make an update available.
Users may wish to remove this component if not used.

HTTP Auth can be generally insecure. Do not rely on a secure password with apache to protect you completely.

NOTE: This only affects users using the component mentioned in the link below and does NOT affect other FreePBX installations

Please see: http://seclists.org/bugtraq/2014/Oct/128 for additional information.

Patch is already available and will be pushed out to all Incredible PBX servers tomorrow. If you’re in a hurry, you can apply the patch now.

Keep in mind that this exploit requires hardware and software firewall access to your server PLUS your Apache maint password which is the equivalent of the keys to the castle to FreePBX, MySQL, and Asterisk. Most Incredible PBX systems automatically randomize this password. Older releases with the hard-coded default password are no longer available.

For details on the vulnerability and the patch, see this thread on the PIAF Forum: http://nerd.bz/1rqQSi3

As for it being “common to find systems that use the default installation password” and that include Apache servers that are “generally insecure,” that is news to us. The Telephone Reminders vulnerability would be the least of your problems on such servers since all of your Asterisk, FreePBX, and MySQL assets would also be exposed. We’ve never seen a reported much less documented case!

1 Like

@wardmundy leads up PIAF and seems to have a fix in place. I am going to go ahead and close this out as this post is purely informational and I don’t think it will require further commentary. Please apply the fix as recommended above if you are affected by this.