Recent reports of ARI exploit on FreePBX systems

For more than a month we’ve seen a small number of reports of exploited PBX systems used for traffic pumping. Initially details were scant, but a few commonalities emerged:

  • Asterisk http/https service port(s) exposed to untrusted traffic
  • There was a spurious ARI app running in Asterisk

Background: To create an ARI app you need access to the Asterisk http/https service and you need ARI user credentials. The FreePBX ARI user is called freepbxuser and the password is generated at time of install. I don’t have complete data right now, but there is enough anecdotal evidence indicating that FreePBX ARI user password is not unique across all systems, so we are proceeding on the suspicion that one or more of the non-unique ARI passwords is now known publicly and used as part of the exploit.

As far as is known now, this is not an Asterisk issue, so Asterisk version is irrelevant. I have no data to indicate what versions of FreePBX this affects, so proceeding on the assumption that all versions are affected.

What you can do right now:

  1. If you don’t need them open (you probably don’t) immediately block access to the Asterisk http/https service ports (8088 and 8089 by default, which are settable in Advanced settings). The FreePBX Firewall module will do this in it’s default configuration when correctly configured.
  2. Manually reset the FreePBX ARI account credentials. Generate two random alphanumeric strings with upper and lower case letters. One about 15 characters long one about 30 characters long. Update the ARI usename and password in the GUI as outlined in the wiki page here. Alternatively, you can script the changes using the following commands to reset ARI username and password:
fwconsole setting FPBX_ARI_USER 15-char-alphanum-string
fwconsole setting FPBX_ARI_PASSWORD 30-char-alphanum-string
fwconsole r
fwconsole restart

The final command will restart Asterisk which will drop all active channels.

In the unlikely event that you have set up any custom ARI access to the system using the generated FreePBX ARI user credentials, you will obviously have to update those systems with the new credentials. Better yet, for those that have third party integrations using the Asterisk ARI on FreePBX, create your own ARI credentials and details in the file ari_additional_custom.conf and don’t rely on the FreePBX generated account for that purpose.

In the coming near term, we’ll publish an update to currently supported FreePBX systems that will indicate the above and either automate or walk an admin thru the credentials change.