FreePBX Security Vulnerability

wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
20,217
Reaction score
5,974
There is a very serious security vulnerability that needs to be patched by loading the very latest version of FreePBX Framework as soon as it becomes available for your version of FreePBX. Just displaying a CDR report in the FreePBX browser could compromise your system.

The 2.5 and 2.6 patches already have been released and probably 2.7 as well. Load this patch IMMEDIATELY!!!

Setup, Module Admin, Check for Updates on Line, Upgrade All
2.5.2.3: #4223 Security Vulnerability
2.6.0.2: #3805, #3707, #4188, #4223 Security Vulnerability
 
Thanks for the heads up Ward, the 2.7 (2.7.0.2) framework update was available.

It must be really bad, trivial, or both. The FreePBX note for this bug is- "details not provided to minimize exposure"
 
So, after I applied the patch, FreePBX started complaining about a default SQL password and a default Asterisk Manager Password. Should I just run passwd-master again?
 
Hi

That's normal behaviour, and not an issue - they are only listening to localhost, so if some one gets that far, the AMI, and the database are the least of your worries.

Leave it all as it is.

Joe
 
jtjacobs said:
So, after I applied the patch, FreePBX started complaining about a default SQL password and a default Asterisk Manager Password. Should I just run passwd-master again?
Click to expand...

This thread will show you how to remove the warning messages.
 
Last edited by a moderator:
I'd love to know what the bug was - I have never been a fan of security through obscurity :(
 
If you were the only one reading the forums, I'd be glad to explain it. Unfortunately, that's not the world in which we live. Obscurity is about all that's standing between hundreds of thousands of functioning Asterisk systems and a world full of fully-compromised servers at the moment... unless you happen to be using The Incredible PBX with a hardware firewall and no Internet exposure to your system. (HINT!)

To give credit where credit is due... I called Philippe Lindheimer at FreePBX on my way home from the AAUG Conference last Saturday afternoon. By Saturday night, he already had posted the patch on SVN. By Sunday morning, Kevin Lynn at GWU forwarded sample Perl scripts to simulate the vulnerability for testing by the FreePBX team. And by Tuesday, the update was on the street. That's how the system should work. Unfortunately, the root cause of the vulnerability lies in some very problematic coding in an Asterisk module which is maintained by Digium. They have thus far not addressed the problem at all. Hopefully, that will change.
 
Yeah, I know. It's always a balancing act. Someone PM'ed me the details.
 
I take issue to the implication that Digium is the root cause of this vulnerability. The fact of the matter is, I stated that Digium's response was "lacking" during my talk but I failed to specifically say why their response was lacking.

To be clear, I did not say that because the root cause of the vulnerability was their fault. Instead, I said it because their response was basically "we know but it's someone else's problem for being a bad developer" rather than "we are aware of it but don't know how to fix it, can you help us?"

The second email response I received from Digium did imply they would be happy to review any possible fixes to the vulnerability. That should have happened in the first email instead of the second. The fact that Digium's security team did say that they would be interested in any fixes is the reason that my talk included only a small quote from them, metrics, and a misunderstood statement that I found their response "lacking".

As for the root cause, it is a trust issue. The developers of FreePBX were trusting all data retrieved from the database and displaying the data to the user without any kind of filtering. Therefore, the root cause isn't something you can assign to any one person or company but if you were pointing a finger you would point it at the developers of FreePBX for trusting externally created data.

Digium has good reason for allowing this data into their database. They have no way of knowing what characters or character sets someone is going to need to store and therefore it is an onerous problem to come up with a method that allows all characters in all languages without including the bad stuff. The reason I am adamant about Digium coming out with a fix for the security weakness is because this problem affects more than FreePBX and is likely to be seen in other products in the future unless it is resolved at a different level.

I personally believe Digium can solve it for all users and software by allowing a switch in the configuration files for the part of Asterisk where the vulnerabilities lies. That switch should be used to configure and turn on or off the stripping of certain information. I am going to be working on that as a fix in the near future so that I can turn the code over to Digium to ensure the problem goes away permanently.

FreePBX has already fixed the problem on their end. I have validated that it works and have been unable to find a way exploit the vulnerability with the fixes in place. (Although, while writing this I believe I have thought up another way.)

I don't have anything more to say regarding the vulnerability at this time. I would, however, like to apologize to Digium if during my talk I gave anyone the impression they were the root cause of the vulnerability, that I think their security team or developers are bad, or that people cannot trust Digium.

I remain a big fan of Digium and so should everyone else.

Regards,
Kevin Lynn
 
I didn't see this thread in time. My Box was taken out by the trojan :banghead:

I was setting the alarm module for bed, and it started acting up.

I couldn't enter my machine through the web browser.

I putty into my machine. It states that Apache isn't running.

I "amportal restart" from root and then all sorts of permission changes start happening until the box seizes up.

I reboot the box, could no longer putty into the machine period.

At this point the box is unplugged from my network.

I guess my phones are down until I get home from work tomorrow :(

My box is behind a firewall, but I guess that didn't matter in this case.
 
I didn't see this thread in time. My Box was taken out by the trojan
Click to expand...

Hi

I would very surprised if the cause of your issues is Kevin's exploit.

I would quote from a post a made a couple of years ago illustrating misdiagnosis.

http://pbxinaflash.com/forum/showpost.php?p=22882&postcount=8

...my favourite mis-diagnosis story was seen recently in a UK computer mag.


Many months after the bombings in London in the late 90's An unamed Indian Electrican was the only person in the area of the blast to be unaccounted for after a few truckloads of fertilizer and DERV was set off.

Our electrician was eventually tracked down to his remote village in India where he had fled on the night of the explosions.

He'd been working in the basment of a tower block only a few yards away from the truck bomb.

His last act on the job was to switch the power back on - which at the exact moment he did so, Someone else detonated 4000lbs of ammonium nitrate a coupe of streets away.

Our friend the electrician (incorrectly) put 2 and 2 together, went and got his passport and left the country, convinced he was responsible for the destruction of quite a lot of prime office space, and did not want to hang around to explain himself.


It's an illustration of cause and effect which must be borne in mind when diagnosing these problems, especially with VoIP. The network problem will manifest itself in the PBX, the the cause could be somewhere else entirely.
Click to expand...
 
:iagree: mark-hc: You didn't get this in the wild just yet. IconicFlux still has the only working version.

The root cause of this vulnerability is some creep somewhere. But the issue with Digium is the classic definition of a Trojan Horse. You shouldn't provide a permanent home for dangerous data that comes through a firewall, period. When looking at a log stored on a server inside a firewall, everyone should have a reasonable expectation that it isn't going to blow up in their face.

The purpose of the log is to record an event. Adding details that might compromise a server is way beyond the scope of what's necessary or appropriate. If the log entry doesn't have anything to do with what's supposed to be stored in that field, then it shouldn't be recorded. *** would suffice. I think we all appreciate why this happened. It was easy. Analyzing data is obviously more difficult coding than merely storing the data verbatim. But that's what functions are for. PHP has one, and it wouldn't be difficult to implement the same sanitizing function in Digium's code.

The log viewing software should be the second line of defense, not the first. And, yes, this also may be problematic with tools such as phpMyAdmin. I hope not. Kevin should be able to sort that out fairly quickly since phpMyAdmin is included on PBX in a Flash servers.

When it comes to storing log content, we can certainly argue about what constitutes dangerous data but, in the context we're discussing, I think it's clear that data that triggers a web browser to do something "incredibly dangerous" meets that test. Stated another way, why would you ever need to preserve something like this in a log? :crazy:
 
Would anyone out there be interested in my starting a series of weekly security talks aimed at developers so that I can go over vulnerabilities, a walk through of how they work, how their existence means a software security principle has been broken, and how to fix the root cause so it doesn't come back?

This is something that I think more and more people within the Asterisk community would benefit from and I'm hoping the end result would be an understanding of software security principles as well as coding standards for any Asterisk related project.

Kevin
 
interested, certainly! would urgently request they be 'podcasted' or syndicated somehow for the days that the excrement has hit the rotating oscillator...
 
Well..

Great, your saying now I have to figure why apache crashed and I can't access my machine?

It would probably be faster to format and install "The Incredible PBX".
 
You must log in or register to reply here.

Members online

Total: 34 (members: 1, guests: 33)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,410
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top