Worth the watch - Def Con 31 FreePBX

“Red headed step child” — I guess we can assume @ACS is an abbreviation for Alias Crosstalk Solutions.

Watched the video today, and that phrase - red-headed stepchild - jumped at me. Safe to say that it is their alternate account here

1 Like

@tonyclewis are you, by this, saying that the current freepbx distro has a patch in place to deal with the issues the security researcher highlighted? I mostly run FreePBX on Debian, behind an SBC. I don’t use any of the commercial modules. I just wanted to be sure that the OSS module that was also a vector is now fully fixed

Yes sangoma patched this a month or so ago. As long as you updated your modules you should be fine according to Sangoma.

Many of our clients don’t use restapps and we don’t even have the license for that module. Is it enough to disable/uninstall restapps to prevent security issues?


No, ensure you run the update to prevent the current security issue. Why wouldn’t you.

hi all,

i looked at this and got me questioning have sangoma got freepbx best interests, or should i look somewhere else for a pbx solution


Zero days and the way they are handled are not unique to Sangoma. This is not a “Pass”, but a reminder that no entity or person is perfect.

This is their stance: Security Information - FreePBX / PBXact - Sangoma Documentation (atlassian.net)

You would need to weigh the cost of doing business, their policies, and if you believe in the company. If you do not, you probably should look elsewhere. There’s not a one size fits all answer to this question.

Have you considered that…

  • Sangoma continues to provide this very active forum while employing lots of people involved in the FreePBX project, as well as the underlying Asterisk framework and forums ?

  • Sangoma is currently seriously addressing security issue reporting in more depth ?

  • If you lock down the FreePBX “web” interface from anything but localhost and instead SSH in and tunnel some ports to get to said interface; or opt for more basic module selections without bringing in the kitchen sink; then you can avoid every single one of the problems highlighted in this thread thus far ?

  • Sending a few emails (to anonymous group/catch-all addresses?) and a few tweets (to marketing staff?) begs for more effort on the part of an extremely-intelligent and savvy security researcher especially for the open source portions of the problems ?

  • This guy might know wazzup and perhaps is the best person to answer the petition for redress of grievances ?

Because I don’t want to purchase maintenance for a module that our clients don’t use. Is uninstalling the restapps module not enough for such cases where the client is not using that module. We don’t even have the license for that module for many of our clients.

Of course, we will do it for clients that use that module. But, for others, it doesn’t make sense.
Can someone from sangoma be more clear about this situation?

Do you for some reason have the paid commercial license for phone apps, on a 25 year license, but don’t now want to pay the annual maintenance? No problem with that, just trying to clarify your situation.

No, we don’t have the phone apps license on many of our client PBXs. So, is it enough to uninstall the phone apps module in such cases.

You want to also remove the code.
fwconsole remove restapps
Not in this case but in past bugs there has been modules that posed an issue even uninstalled.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.