SEC-2020-004 - Disabled Module Preventing Update

FreePBX 14.0.13.26 (Distro)
Current Asterisk Version: 13.29.2
PBX Firmware: 12.7.6-2002-2.sng7
PBX Service Pack: 1.0.0.0

I have the following notification in the Dashboard:

There is 1 module vulnerable to security threats

restapps (Cur v. 13.0.92.31) should be upgraded to v. 14.0.22.2 to fix security issues: SEC-2020-004

I am not able to upgrade this Module, because

Missing Requirements:

EndPoint Manager module version 14.0.41 or higher is required, you have 14.0.2.188

I can’t upgrade EndPoint Manager (I assume), because our license has expired. Also, the “restapps” (Phone Apps) module, which is the one needing the security update, is disabled.

Are we still vulnerable even with the affected module disabled? What should my course of action be to keep us secure?

Thanks as always!

I would:

1. Pay to renew the expired EPM module:

• login to portal.sangoma.com
• go to Reports > List > Sales-Module Renewal By Deployment > View
• Pay for the year(s)
• Then refresh Activation on your FreePBX logging into your PBX, then Admin > System Admin > Activation > Update Activation

2. Module Admin won’t let you download the updated module right away… takes a few hours/day for some reason.

• So what I did was SSH into CLI, then run:
  fwconsole ma --edge downloadinstall endpoint --tag 14.0.41
  (this forces the download and install)
• then run:
  fwconsole reload

3. finally enable and update RestApps (Phone Apps). You can do that from the Module Admin or CLI… either way works.

Thanks for the reply.

1. I don’t think my company will pay to renew this.

2. We aren’t licensed on Endpoint Manager, so doesn’t that mean we keep the last version we had before our license expired?

3. Enabling restapps (Phone Apps) won’t do any good since EPM isn’t licensed, right?

Let’s assume renewing/purchasing licenses is not an option. Are we safe since the affected module (restapps aka Phone Apps) is disabled?

Thanks!

If the Phone Apps (restapps) module is disabled, then you should not be vulnerable. You can also uninstall the module if you want to be extra cautious.

Thanks @adolfoc & @mbrooks for the info on this.

This may be a dumb question, but I thought that previous security updates were given to commercial modules regardless if they were still licensed.

Please correct me if I am wrong.

I guess my understanding was that @bradm413 purchased a 25-year license to use the product, but feature additions and upgrades were limited to the 1-year license.

Unfortunately, in order to receive any updates (including security updates), you need to have a valid license.

Sorry to deliver the sad news

Matthew Fredrickson

Now I am even more confused.
Is that a valid 1-year license or a valid 25-year license?

Also, if what you said is true, why are we getting the free security update to the unlicensed Phone Apps module? The very update that started this post and these issues.

Sidenote: I happened upon the original post that made me think this way.

There are two things: Module Support and License. You can buy a 1 year or 25 year license. But Module Support is always 1 year and must be renewed in order to get updates.

If you look at your System Admin > Activation screen you will see EPM shows the license valid through a different date than the “Free updates until” date. The “Free updates until” date is the Module Support expiry. You can renew support through Module Admin if you’re less than a year lapsed. However if you are over a year you need to follow this procedure to do it through the portal:

https://wiki.freepbx.org/display/FPAS/How+to+Renew+FreePBX+Commercial+Modules+Maintenance

That is a comprehension problem on your part.

You can buy a license to use the software for 1 year or 25 years.

That license includes updates only for 1 year.

This has been unchanged since the inception of the Commercial module system.

I now understand the license part of this issue.

But, what about the fact that the Phone Apps module is unlicensed and still giving me the update? (That is the reason why I would like to update EPM)

According, to the comments here, being notified and allowing me to update the Phone Apps module should not have happened. The whole reason behind needing to update EPM. Phone Apps is a Commercial Module and I do not have a 1-year update license.

Edit: I hid the part that people were objecting to. I misstated but the basic premise remains the same.

No, that is not what was stated. You have the module installed. Thus it will warn you.

I am not trying to go against the grain here but what you are saying is not true.

If EPM is up to date and no license is purchased for Phone Apps. It will most definitely let you update it. Proof below.

48%20PM2404×694 97.3 KB

34%20PM2414×692 100 KB

I believe that this Violation of the Rule of Least Astonishment is being addressed by Sangoma as we speak. If you have to touch the license by making a payment every year, you completely abrogate the purpose of getting a long term license. It just doesn’t make sense to anyone new and runs counter to licensing terms for literally anything else I’ve ever licensed.

If I pay a fee to license software for 25 years but have to pay every year to renew the license, what exactly did I get? There’s no assurance the module will remain active for 25 years, in spite of the agreement, consideration, and service that takes place.

I love FreePBX, but I’m becoming less and less of a fan of Sangoma’s business practices all the time. It’s probably going to take someone suing them to change it, though, so I don’t see it becoming any less deceptive in the future.

I won’t argue that it does not make sense to anyone new if you claim it. But I see this license model all over the place.

Veeam Backup & Replication: One time purchase gives me the rights to use the software in perpetuity. But I can only get updates for 1 year.

On-Premises ScreenConnect (now ConnectWise Control): One time purchase gives me the rights to use the software in perpetuity. But I can only get updates for one year. After one year I can buy maintenance for a pro-rated cost of the original purchase price and get updates.

This is the important distinction. If I licensed the software forever, knowing that I had to pay maintenance up front, I’d be cool with that. Adobe does the same thing. If I license software “for a set period” (say 25 years) and there is no mention of maintenance in the sale, then I should be able to assume that I get to use the license for 25 years. The premium you pay for getting multiple years kinf of implies that.

The “slimy” part is that the maintenance fee part isn’t clearly delineated to us. We get this question, especially from people that don’t do what we do for a living, all the time. The fact that they are uniformly surprised tells me what I need to know.

@mbrooks and @mbrooks,

Can someone from Sangoma answer this?

For clarity’s sake, here is my proof that what I am saying is true.

@lgaetz @jsmith @kgupta1 It’s been 5 days and I have not heard from anyone from Sangoma on my original question.

Here is some follow up.

My question is based on this response from Matt.

Coming to this thread cold, but security updates are not withheld from users who choose not to renew maintenance. If you wish to use Phone Apps, you must renew EPM so they can both be installed. If you choose not to use Phone Apps, you can disable it (and whatever depends on it!) and continue to use the EPM version you have.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.