Sec-2019-001


(TheJames) #1

I received this notification in my PBX but do not see any information on
https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities
Is there additional information somewhere?

<issue>
    <id>SEC-2019-001</id>
    <type>Authentication Flaw</type>
    <severity>high</severity>
    <discoveredby>PBXComplete - www.pbxcomplete.nl</discoveredby>
    <reported>2019-11-14</reported>
    <fixed>2019-11-18</fixed>
    <description>Potential user password bypass.</description>
    <changelog>2019-11-18: fixed</changelog>
    <tickets>#20791</tickets>
    <releated_urls>
        <url>
https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities
</url>
    </releated_urls>
    <versions>
        <v13.0>
            <vulnerable>yes</vulnerable>
            <fixes>
                <framework>13.0.197.14</framework>
            </fixes>
        </v13.0>
        <v14.0>
            <vulnerable>yes</vulnerable>
            <fixes>
                <framework>14.0.13.12</framework>
            </fixes>
        </v14.0>
        <v15.0>
            <vulnerable>yes</vulnerable>
            <fixes>
                <framework>15.0.16.27</framework>
            </fixes>
        </v15.0>
    </versions>
</issue>

(Matthew Fredrickson) #2

Hey James,

Documentation should be available in the next day or so. It is an important fix though, so updating is strongly advised.

Matthew Fredrickson


#3

Hello @mattf

We also received notification. We updated all servers this morning to version 13.0.197.13 and 14.0.13.11.

As we were finishing, we noticed that the servers now show they need updated again from version 13.0.197.13 to 13.0.197.14 and version 14.0.13.11 to 14.0.13.12

We are in the process now of going back through all servers again. Are version 13.0.197.13 and 14.0.13.11 still vulnerable?

Can it be confirmed that version 13.0.197.14 and 14.0.13.12 are patched?
Thank you


(Matthew Fredrickson) #4

13.0.197.14 and 14.0.13.12 should have the correct version of the fix in them.

Matt


(Paul Mitchener) #5

Hi @mattf,

We had an extension compromised over the weekend, then only a day or so later we received notification that the patch had been applied automatically.

Is there anywhere that outlines what vulnerabilities were fixed?

Thanks
Paul


(Jared Busch) #6

So, just like the last time you had a security issue. the warning does not clear.


(Vasman) #7

I to have this problem, I’ve updated it to the right version yet I’m still getting the same error


(Jared K Smith) #8

More details are now online at FreePBX Security Vulnerability SEC-2019-001.


(Lorne Gaetz) #9

In the systems I’ve touched, when I dismiss the dashboard warning it goes away and stays gone.


(Jared Busch) #10

Why do I need to dismiss it after the update is applied?

The error goes away eventually, if you ignore it, so why can’t the update clear it?

Multiple systems. Run updates, click refresh on overview, error still shows. That is confusing.


#11

Are the current ISO’s going to be updated to include this fix?

I know the security warning will still pop up but may prove nasty for new users that aren’t 100% on what they’re doing yet…


(Matthew Fredrickson) #12

I think that’s a good suggestion. We’ll probably end up doing that next.

Matthew Fredrickson


#13

Question for the developers:

In the early days of FreePBX, there were several vulnerabilities similar to this one, where a specially crafted request to a specific page in the admin tree could bypass authentication or run arbitrary code.

In version 2.x, the system was changed to replace the PHP-based logic with regular Apache digest authentication (htaccess / htpasswd). This is simpler, gets much more peer review than FreePBX, and has a good record of remaining secure.

Why was this switched back to use a custom login screen?


#14

It is configurable:

“webserver” seems to give the most flexibility, in that it asks Apache to handle the authentication while the usermanager module does the authorization.

In that way you could use any Apache auth module, not just basicauth. Plug in a SSO service, or PAM and auth against your Linux password file, 2FA, etc…


(Andrew Nagy) #15

“Apache digest authentication (htaccess / htpasswd)” was added a long time ago. It was never the default and it shouldn’t be. The custom login screen has always been the default. You can never logout from apache digest authentication.

It’s still an option if you wish to use it (as pointed out by Bill)… however.

The single issue with this is that you’d still be unable to logout

Ref:

(The solution in the stack overflow is send a 401, problem there is the 401 is logged and picked up by fail2ban)

If it was the end/all/be/all you’d see facebook, google, linkedin, etc. using it. There’s a reason websites (FreePBX is a website) don’t use Digest Authentication.

Furthermore. When you use Digest Authentication you end up breaking many commercial modules of FreePBX. Namely Zulu. Zulu would break completely, so could contact manager images on your phone. The API module would also be useless. This is because all of these modules run through config.php. “Digest Authentication” locks down config.php.

If you want to enable it and you don’t use commercial modules and you don’t mind that you can essentially NEVER logout (there’s no session to clear!) and you don’t mind not being able to set your language in FreePBX or Locale and you are a hobbyist then go for it! :smiley:

** I spent a day trying to get Digest Authentication to work with FreePBX a couple of years ago, there are many issues with it.


(TheJames) closed #16

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.