ALERT FreePBX Vulnerability

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192


We strongly recommend that you immediately upgrade your FreePBX Framework module to address this vulnerability. As all servers should be, PIAF and Incredible PBX servers sitting behind hardware-based firewalls with no HTTP (port 80) exposure are protected from outside attacks. Similarly, systems that have deployed Travelin' Man 3 are protected from anonymous HTTP attacks. Purely from an academic standpoint, we differ a bit on the scope of this vulnerability on PIAF systems (NOT Raspberry Pi and Beaglebone platforms!) because of the PIAF Apache authentication mechanism that generally protects FreePBX resources on PIAF servers; however, everyone should install the upgrade to be absolutely secure... especially Incredible PBX users on the Raspberry Pi and Beaglebone platforms! UPDATE: This upgrade is automatically pushed to all Incredible PBX systems on the first root login.
Code:
amportal a modadmin upgrade framework
amportal a r

Very nice job by the FreePBX Dev Team in highlighting security issues in the FreePBX GUI now!!

index.php
 

mcbsys

Guru
Joined
Oct 16, 2008
Messages
139
Reaction score
5
A little update/feedback on handling this.

1. The blog post's comments warn of possible issues with PHP below 5.3. Sounds like that was fixed in an update to the update but I wanted to check. Easy: go to the FreePBX admin page and select Reports > PHP Info. The header lists the PHP version (5.3.10 in my case).

2. I currently have FreePBX 2.10.1.10. The security update is NOT called out as shown above. All I see is this:
FreePBX.2.10.png

3. One thing I love about PiaF is that for the most part I can forget about it, treat it like an appliance. At the moment, it's been up for 35 weeks. All this client needs is to make and receive calls on three phones, so the gazillion module updates are usually unnecessary. And it just works--I almost never log on to the UI. However I do want to apply security fixes, just to be safe. It would be nice if when FreePBX emails me the "New Online Updates Available," it would highlight any that are security-related so I would know to pay attention...

Updating the 49 modules seems to have gone well except for a "symlink from modules failed" issue that I will post separately.
 

tm1000

Schmoozecom INC/FreePBX
Joined
Dec 1, 2009
Messages
1,360
Reaction score
78
For clarification on security related issues (and since I don't want people to think their systems are 'broken'), the orange notice and email messages about security vulnerabilities are only included in FreePBX 2.11, you will not see any of those messages or notices in anything 2.10 or lower.

So actually #2 and #3 are already done and have been for quite some time.

(side note, #1 is also officially fixed and has been for a week, the official notice of the fix is me saying it right now)
 

MartyAtParsec

New Member
Joined
Mar 12, 2014
Messages
8
Reaction score
0
(side note, #1 is also officially fixed and has been for a week, the official notice of the fix is me saying it right now)
Okay, so the "official notice" mechanism is buried in a blog post response chain? Is there maybe some other way to do this?
 
Joined
Oct 5, 2010
Messages
188
Reaction score
38
In addition to the official CVE You can also follow the Schmooze/FreePBX Status Blog located at http://schmoozestatus.tumblr.com we will be including official notices on that blog, please notice it is purposly built outside our infrastructure (hence the tumblr.com blog ). You can follow using the RSS Feed http://schmoozestatus.tumblr.com/rss as well. We will also typically include these announcements in our email newsletters, which you can get by signing up for a forum account at freepbx.org.
 

l4cky

Member
Joined
Jan 27, 2015
Messages
175
Reaction score
4
I typed in amportal a modadmin upgrade framework Asterisk CLI but it says No such command 'amportal a modadmin upgrade framework' (type 'core show help amportal a' for other possible commands).
Does that mean I need to type core show amportal a modadmin upgrade framework ?
 

l4cky

Member
Joined
Jan 27, 2015
Messages
175
Reaction score
4
The 'amportal' command is for the Linux CLI not the Asterisk CLI.


Code:
root@pbx:~# amportal a modadmin upgrade framework
 
Please wait...
 
Downloading 3425055 of 3425055 (100%) 
 
Untaring..Done
Module framework successfully downloaded
Module framework successfully installed
 
SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/provisioning


um... help..
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
l4cky: Unless you really know what you are doing, upgrade FreePBX modules from within the Module Admin component of the FreePBX GUI, not from the Linux CLI. You haven't damaged anything thus far so head back onto the reservation and upgrade everything else from there. :red indian:
 

Members online

No members online now.

Forum statistics

Threads
25,770
Messages
167,441
Members
19,181
Latest member
ejrubin
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top