Happy Friday everyone.
A recent blog post from Check Point Software, which has been picked up by the wider technical press, details methods by which a hacker can bypass the Admin GUI without authenticating and gain access to a FreePBX system for traffic pumping or other nefarious purposes. This thread is intended to address any questions that have arisen as result of the recent publicity.
The exploit in question is described here:
The exploit was disclosed responsibly to the FreePBX engineering team on or around November 15, 2019, almost one year ago. Engineering immediately went to work on a fix for the affected versions, and within 5 days (3 business days) the fix was coded, QA’d and published.
There are a two important clarifications I would like to make to the Check Point blog, most notably that this affects “Sangoma PBX” systems and the suggestion that the vulnerability affects Asterisk or systems running Asterisk.
- This is not an Asterisk vulnerability. There are many systems running Asterisk that don’t run FreePBX. These systems would not be affected by this specific vulnerability.
- This is not a Switchox vulnerability. There is no such system called “Sangoma PBX”, so that wording might cause some to think that Switchvox is affected. It is not. Likewise, no other Sangoma products (SBCs, gateways, etc.) are affected.
Vulnerable systems are FreePBX and PBXact only, and only if running a Framework module version less than or equal to the following:
- framework v22.214.171.124
- framework v126.96.36.199
The fix is simple, simply upgrade the Framework module to current using Module Admin.
I would also point out that in order for a FreePBX system to have been recently exploited by using this vulnerability, it would have to be woefully behind on updates and the FreePBX Admin GUI would have to be left open to untrusted internet traffic; neither of which conform to good security practice. When enabled and configured, the FreePBX Firewall limits access to the Admin GUI to trusted traffic only by default.