Security Releases

mattf · August 17, 2020, 7:29pm

Hey All,

Just a heads up that a few different FreePBX modules had security issues which were disclosed to us. Two were SQL injection type vulnerabilities in the CDR and CEL modules and one was a potential XSS problem with the logfiles module.

You can read more details about the impact of the vulnerabilities at:
https://wiki.freepbx.org/display/FOP/2020-08-17+SQL+Injection+In+cdr+module
https://wiki.freepbx.org/display/FOP/2020-08-17+SQL+Injection+In+cel+module
https://wiki.freepbx.org/display/FOP/2020-08-17+XSS+Vulnerability+In+logfiles

As per usual, we have marked them as security fixes on the mirror servers so for those of you that have automatic downloads of security updates, you should be getting them soon.

Special thanks goes to the reporter for patiently working with us as we were attempting to replicate the problem and develop fixes.

Best wishes,
Matthew Fredrickson

mis · August 18, 2020, 2:07pm

Since I updated these 3 modules last night, asterisk cli doesn’t give any debug output and nothing is written to /var/log/asterisk/full. From the asterisk cli I’ve tried:
core set debug 9
core set verbose 9
logger set level DEBUG
pjsip set logger on
manager set debug on
cdr set debug on
rtp set debug on
rtcp set debug on

None of these commands produce any debugging output. I have no debugging capabilities without packet captures and I have no logs to chase errors in.

logger show channels only has /var/log/asterisk/fail2ban (it no longer has /var/log/asterisk/full - type file or type console)

I’ve managed to manually added a channel back with the logger in cli, but this is temporary until a restart:
logger add channel /var/log/asterisk/full debug,notice,warning,error,verbose

H̶o̶w̶ ̶c̶a̶n̶ ̶I̶ ̶a̶d̶d̶ ̶t̶h̶e̶ ̶c̶o̶n̶s̶o̶l̶e̶ ̶t̶y̶p̶e̶ ̶b̶a̶c̶k̶ ̶t̶o̶ ̶t̶h̶i̶s̶ ̶l̶o̶g̶g̶e̶r̶ ̶c̶h̶a̶n̶n̶e̶l̶,̶ ̶a̶n̶d̶ ̶h̶o̶w̶ ̶t̶o̶ ̶s̶e̶t̶ ̶b̶o̶t̶h̶ ̶(̶f̶i̶l̶e̶,̶c̶o̶n̶s̶o̶l̶e̶)̶ ̶p̶e̶r̶m̶a̶n̶e̶n̶t̶l̶y̶?̶

I found that /etc/asterisk/logger_logfiles_addtional.conf only contains:
fail2ban => notice,warning,security

I added the missing pieces to /etc/asterisk/logger_logfiles_custom.conf to get logs/debugs working again permanently:
console => debug,error,notice,verbose,warning
full => debug,error,notice,verbose,warning

I’ve managed to get logs flowing again with the above method, my questions now are… Was removing these channels intentional? Am I re-opening up a possible attack vector by doing this?

aroundi · August 18, 2020, 4:48pm

Hello,

I have the same or similar problem and get no live output to the CLI.

Edit: fixed by enabling logfiles for concole in GUI.

Rgds,

FreerPBXer · August 18, 2020, 6:09pm

I’m wondering if the fix for the XSS issue in logfiles was to disable…will re-enabling expose the initial vuln?

aroundi · August 18, 2020, 6:54pm

Hi,

I have to think that disabling output to console was not intentional; It’s immediately noticeable.

mattf · September 18, 2020, 6:54pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.