Worth the watch - Def Con 31 FreePBX

You guys are derailing the discussion about how Sangoma is handling security in FreePBX. This thread has value in that discussion. Please take your sniping at each other into DMs as that is an option.

2 Likes

Fair enough but only one of us gets flagged? Very nice.

@lgaetz just posted a detailed blog here FreePBX Security Issue SEC-2023-001 | FreePBX - Let Freedom Ring outlining things.

2 Likes

You do realize that all but one of the flaws covered in this video are commercial modules. There was only one OSS module that had a flaw. If the logic is the paid products, like commercial modules that also run in PBXAct, have priority then that’s a skewed priority.

I was referring to their other products and services other than FreePBX rather than the paid modules. Their focus is somewhere other than FreePBX is the point.

1 Like

Crosstalk posted a video in the last day or so on this. https://youtu.be/xGtJNwWoyHo?si=e0s0dQeaEbzZFhHu

2 Likes

So the Bug Bounty Program vanished after this bug was reported. Seriously??

Yes and no?

Reporting Security Issues in Sangoma Products - Product Advisories & Security - Documentation (freepbx.org)

Security Reporting - FreePBX OpenSource Project - Documentation

Worth noting that both those pages were created 5-7 years ago and last updated well before the page in that way back link was created or deleted.

So I have a question about what was said in that video. Mainly, how did CIP release a patch for CrossTalk of a commercial module(s)?

We did not patch a commercial module. We assisted him in blocking the call to ajax.php but did not patch or touch a Sangoma commercial module to do so.

3 Likes

Ahh so when he said you patched the port, you just put in some firewall rules? an .htaccess rule?

Tom. Your not going to get a step by step here from me. We assisted a paying customer to patch their system from letting the bad guys get in without modify a commercial module in FreePBX. It would be wrong of me and violate contracts with customers and privacy policies to get into exactly what was done. At this point it does not matter as Sangoma has patched the flaw that they were using to get in.

1 Like

“Red headed step child” — I guess we can assume @ACS is an abbreviation for Alias Crosstalk Solutions.

Watched the video today, and that phrase - red-headed stepchild - jumped at me. Safe to say that it is their alternate account here

1 Like

@tonyclewis are you, by this, saying that the current freepbx distro has a patch in place to deal with the issues the security researcher highlighted? I mostly run FreePBX on Debian, behind an SBC. I don’t use any of the commercial modules. I just wanted to be sure that the OSS module that was also a vector is now fully fixed

Yes sangoma patched this a month or so ago. As long as you updated your modules you should be fine according to Sangoma.

Many of our clients don’t use restapps and we don’t even have the license for that module. Is it enough to disable/uninstall restapps to prevent security issues?

Thanks.
-D

No, ensure you run the update to prevent the current security issue. Why wouldn’t you.

hi all,

i looked at this and got me questioning have sangoma got freepbx best interests, or should i look somewhere else for a pbx solution

thanks,
rob