Old FreePBX Vulnerability from November 2019

lgaetz · November 6, 2020, 6:55pm

Happy Friday everyone.

A recent blog post from Check Point Software, which has been picked up by the wider technical press, details methods by which a hacker can bypass the Admin GUI without authenticating and gain access to a FreePBX system for traffic pumping or other nefarious purposes. This thread is intended to address any questions that have arisen as result of the recent publicity.

The exploit in question is described here:
https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass

The exploit was disclosed responsibly to the FreePBX engineering team on or around November 15, 2019, almost one year ago. Engineering immediately went to work on a fix for the affected versions, and within 5 days (3 business days) the fix was coded, QA’d and published.

There are a two important clarifications I would like to make to the Check Point blog, most notably that this affects “Sangoma PBX” systems and the suggestion that the vulnerability affects Asterisk or systems running Asterisk.

This is not an Asterisk vulnerability. There are many systems running Asterisk that don’t run FreePBX. These systems would not be affected by this specific vulnerability.
This is not a Switchox vulnerability. There is no such system called “Sangoma PBX”, so that wording might cause some to think that Switchvox is affected. It is not. Likewise, no other Sangoma products (SBCs, gateways, etc.) are affected.

Vulnerable systems are FreePBX and PBXact only, and only if running a Framework module version less than or equal to the following:

framework v13.0.197.13
frameworkv14.0.13.11
framework v15.0.16.26

The fix is simple, simply upgrade the Framework module to current using Module Admin.

I would also point out that in order for a FreePBX system to have been recently exploited by using this vulnerability, it would have to be woefully behind on updates and the FreePBX Admin GUI would have to be left open to untrusted internet traffic; neither of which conform to good security practice. When enabled and configured, the FreePBX Firewall limits access to the Admin GUI to trusted traffic only by default.

franckdanard · November 7, 2020, 2:20am

Good blog Lorne.

Don’t forget. If any updates exist, then it’s not only to bring some new features and to fix some bugs. It’s done to improve a security issue as well.
So, feel free to update your system including freepbx modules and operating system regularly.

FreerPBXer · November 10, 2020, 7:50pm

Thank you for the cogent non-hair-on-fire response, Lorne. The data-based, calm, concise presentation is refreshing to me.

Mike_S · November 13, 2020, 3:33am

Great post Lorne!

3 business days is literally unheard of in the industry. Kudos!

Great job pointing out exact products and versions that are venerable!

Oh, and what moron exposes their admin GUI to the public Internet?

lgaetz · June 3, 2021, 10:58pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.