Security Vulnerability Notice


(Philippe Lindheimer) #1

FreePBX UpdatesWe are blogging to inform you of a recently discovered security vulnerability reported yesterday in FreePBX Ticket 7123 (originally reported in ticket 7117 which is locked because of sensitive information). All FreePBX versions FreePBX 2.9 before 2.9.0.14, FreePBX 2.10 before 2.10.1.15, FreePBX 2.11 before 2.11.0.23, and FreePBX 12 before 12.0.1alpha22 are affected. You should immediately update your FreePBX Framework Module to secure your system from a potential attack.

The vulnerability is a Remote Command Execution (RCE) attack which means a compromised PBX can have any system command executed on it. This may result in serious damage to the system or extraction of passwords and other credentials accessible to the apache user (which is asterisk on most systems).

There were no known exploits at the time this issue was reported but upon going public it is common for hackers to develop scripts to scan the internet in an attempt to find vulnerable systems. The primary attack mode would be blocked on a system that uses HTTP authentication as some Distros set by default. Unfortunately, it is trivial to develop an XSS (Cross Site Scripting) attack that could indirectly access this vulnerability and allow an attacker to get access to any logged in system using all FreePBX authentication options. As such, all systems are vulnerable and should be updated. The fix addresses all attack modes.

(CVE-2014-1903)

Please make sure to update your systems immediately. We informed project teams of the other popular FreePBX Distro's earlier today as well as Certified Hosting Partners.

The FreePBX and Schmooze Team!


Hacked via /tmp perl scripts
#2

Assuming this is related to the bug I posted yesterday then there definitely is an exploit. Either that or you have another one.

http://issues.freepbx.org/browse/FREEPBX-7120


(Philippe Lindheimer) #3

It appears ticket 7120 may be the first sign of an exploit against this vulnerability. As a result of posting the blog, Mustardman has provided additional logs upon the development team's request that appear to indicate the same attack mechanism. If there is additional helpful information it will be attached to the master ticket 7123 since his ticket 7120, and the original ticket 7117 under which this vulnerability was first reported will remain locked due to sensitive data.


#4

Hi, can you confirm that access to the FreePBX web site on port 80 is needed? It looks that way from the bug post but I’d like to confirm this.

Thanks,
Tim Miller Dyck


(Philippe Lindheimer) #5

The admin GUI must be accessible, through port 80 unless you’ve configured something different (e.g. https/443) for this attack. Whether or not you have your site protected by a firewall (which is highly recommended), you want to apply this fix.


(Davide Poletto) #6

The Web GUI needs simply to be accessible locally or remotely (e.g. I tested the scenario against my system whose GUI is remotely available through a simple Firewall forwarding rule - the Web GUI external port is not equal to the internal one - and the issue is clearly there however).

The idea that obfuscating the Web GUI by modifying the default listening port number could protect our systems against a well engineered attack is only a temporary palliative (let me using this word); the sad thing is that I know I just used a palliative up to now.

In this case the only remedy to apply ASAP is updating the FreePBX Framework and limiting (that’s always a valid rule IMHO) which IP Addresses (internally/externally) have access to the FreePBX Web GUI.


#7

*FIXED IN THE LATEST UPDATE
There is a bug that will give you a white page ie no gui if you have php < 5.3 and FreePBX 2.11

http://issues.freepbx.org/browse/FREEPBX-7130

to fix it add:

if (!function_exists(“gethostname”)) {
function gethostname() {
return trim(php_uname(‘n’));
}
}

to libraries/php-upgrade/upgrade.php


(Preston McNair, ClearlyIP CRO) #8

Seeing some reports that some hosting providers are restricting access to the FreePBX GUI, You can follow the instructions listed here to update the framework module via CLI/SSH. http://wiki.freepbx.org/display/L1/Upgrading+a+FreePBX+Module+from+the+CLI


(Bryan Walters) #9

The gethostname issue should be resolved in the latest framework which was pushed out this morning. Sorry about that.


(Philippe Lindheimer) #10

We regret the few people who had some hiccups because of the FREEPBX-7130 bug that was reported. It appears some previous framework versions had this issue that went un-reported. As a result of this security issues, many more people upgraded which resulted in pulling in those changes as well.

As an FYI, FreePBX primarily codes to a requirement of PHP 5.3 and higher although we have made many efforts to provide compatibility for older versions of PHP for people who do not upgrade their base systems. This makes it a challenge to detect issues like this and we depend on the community to report such issues so we can address them as was the case here as soon as it was reported.

As an FYI:

  • PHP 5.2 was End of Life 06-JAN-2011 (3+ years ago)
  • PHP 5.1 was End of Life 24-AUG-2006 (7.5 years ago)

These are the most common versions we encounter when such bugs come up and as you can see, it’s a REALLY GOOD idea to move off of these as there are plenty of known bugs and issues with these older versions. In the words on the PHP Site: “If you are using these releases, you are strongly urged to upgrade to a current version, as using older versions may expose you to security vulnerabilities and bugs that have been fixed in more recent versions of PHP.”


(Greg Snover) #11

From day-one, we have never exposed any of our FreePBX/Asterisk boxes to the outside except SIP and RTP - We always have them behind a VPN firewall, and to do ANY maintenance on the boxes, you have to first make a successful VPN connection to their network.

Initially it was more of a lack of experience on our part with Linux security, but now after 10 years I still think it’s not a good practice to publicly expose the web interface of these boxes - we have had one instance where the customer screwed up and exposed our box, and we had $4K of toll fraud in the space of 10 hours - there is just too much on the line to lose.

Greg


#12

Agreed, you should only allow internet access to the PBX only if there is no other alternative. If this is the case at the very least you should restrict it to certain IPs. I understand there are cases where this is not possible for various reasons but if you are in control you should put yours behind a firewall and VPN in.


#13

I have updated the module, but maybe there is some bug somewhere.

AFTER the update, FreePBX presents the module with the RC 1.2 version, and says it is disabled but up-to-date:

If I click Description, it says “Description for version 2.11.0.23”:

Should I file a bug?


(Andrew Nagy) #14

We have no reports of this happening to anyone. Enable the module and then update.


#15

For anyone interested… Here is my detailed HOW-TO for securing your Asterisk/FreePBX server. I hope it will be helpful! Feel free to comment.


#16

As seen in hatredman post above, with the Framework instaled and disabled, after updating it (but leaving disabled), FreePBX presents the module with the 2.11.0.0beta2.2 version again, saying it is disabled but up-to-date, and also saying it is vulnerable. If I click ‘Description’, it says “Description for version 2.11.0.23”.

Following tm1000 directions, enabling the module and updating again solved the issue.


#17

Have you a mailinglist purely for security vulnerability?
Thanks
Sofus


(Bryan Walters) #18

Sofus,
Currently we do not have a mailing list for FreePBX or FreePBX Security Vulnerabilities. All announcements will continue to be made here on the blog and Module Admin also highlights modules with Security fixes.


#19

Hey,
One of the installations i run was affected by this, and the hacker was able to overwrite files and create an account for themselves. How do I deal with this? Is it enough to install a backup of prior to the attack and overwrite all files in /etc/asterisk and /etc/amportal.conf as well as the complete Asterisk database and then upgrade to the current framework version? As far as I can tell, no other files than the ones in /etc/asterisk, /etc/amportal.conf and the database were modified / created by the attacker. So is it save to move on without reinstalling the complete server? And obviously, from now on, freepbx will only be available behind a VPN…

Thanks for your input


#20

Admins closed my post: http://www.freepbx.org/forum/website/admin-portal-hackable-to-download-and-execute-files-in-tmp

But vulnerability is still present in FW 2.11.0.34