ALERT FreePBX RCE Vulnerability - CRITICAL (ALL Versions)

Joined
May 23, 2013
Messages
223
Reaction score
28
Location
Troy, Ohio
freepbx.org/node/92822 <--read full text here

We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.
This exploit allows users to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which may then be used to grant the attacker full remote code execution access as the user running the Apache process.
We have released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12 per our security policy which covers releases that have come out over the last 3.5 years. Versions 2.8 and prior can be easily updated to 2.9 or higher through Module Admin which will remove the vulnerability. Versions 2.11 and 12 are the only officially supported versions of FreePBX but we always apply security patches to the two prior versions as well.

Users prior to FreePBX 12 should update immediately.
FreePBX 12 users should disable and uninstall the legacy FreePBX ARI Framework module and switch to the new User Control Panel, which is not to be confused with the previous ‘User Control Panel Tab’.
Please note that indications of a compromised system include the presence of an “System Admin Dashboard” also called “admindashboard” module, the files c2.pl and/or c.sh.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,331
Reaction score
2,707
Thanks, Chris Sweeney!

A more accurate summary of the problem would be the following:

"This exploit allows users to bypass [FreePBX] authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present."

We obviously recommend that everyone update FreePBX immediately! Having said that, this vulnerability should pose little risk to PBX in a Flash and Incredible PBX servers (only!). PBX in a Flash requires Apache's maint password to access ARI or any of its underlying code. In fact, it was a previous ARI vulnerability that prompted us to migrate from FreePBX security to Apache security years ago. The newer, stand-alone Incredible PBX implementations employ FreePBX security AND also require IPtables WhiteList permissions to access ARI or anything else on Incredible PBX servers.

PBX in a Flash servers with /etc/pbx/httpdconf/ari.conf in place should return the following. Be sure to test it with a browser that does not have your Apache maint credentials cached!



For the history of this (latest) vulnerability, see the FreePBX forum thread (now closed) from several days ago in which this security issue in the FreePBX Distro ("ISO from official site") was raised by more than one user. Also note that port 80 was directly exposed to the Internet, a setup we have long since abandoned without a firewall WhiteList in place to protect the server.

[Edit] ARI update has been pushed out to all Incredible PBX systems. Log in again as root to get it.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,331
Reaction score
2,707
WARNING: After updating all of the new FreePBX modules, we have noticed on some Ubuntu/Debian servers (e.g. CuBox) that FreePBX cannot be reloaded by clicking the red Apply Config button. You'll see an error such as the following:

[FATAL] Unable to connect to Asterisk Manager

The solution is to issue the following commands from the Linux CLI after logging into your server as root:
Code:
sed -i 's|localhost|127.0.0.1|' /etc/freepbx.conf
amportal restart
amportal a r
 

markd89

Member
Joined
Sep 3, 2013
Messages
69
Reaction score
2
Ward, what's the recommended procedure to do these updates?

Thanks,
Mark
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,331
Reaction score
2,707
On Incredible PBX servers, it's automatic when you log in again as root.

Otherwise...

FreePBX -> Module Admin -> Check Online -> Upgrade All -> Process -> Apply Config

If you get an error when you click Apply Config, then follow the steps above to resolve it.
 

MacNix

Guru
Joined
Jun 21, 2011
Messages
198
Reaction score
31
Location
right here....
so, just to clarify, please confirm:

My machine is protected if:
if i'm on FreePBX 12 & up​
or​
I'm on Piaf with any flavor of FreePBX​
Is that correct??
 

LesD

Member
Joined
Nov 8, 2009
Messages
408
Reaction score
15
My conclusion from what Ward wrote is you are OK if

1. You are on 12 as a new install - did not upgrade from 11.

2. Upgraded from 11 and removed the old ARI module

Even though PIAF should not be vulnerable, the advice still seems to be to follow the above.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,331
Reaction score
2,707
At the very minimum, you should run the following commands to protect your servers:
Code:
rm -rf AMPWEBROOT/admin/modules/admindashboard
amportal a ma upgrade fw_ari
 

mainenotarynet

Not really a Guru - Just a long time user
Joined
May 29, 2010
Messages
618
Reaction score
82
Location
Bangor, ME USA
My system - PiaF-Green - IncrediblePBX/Fax has a file

bootstrap.php but NOT bootstrap.inc.php

Just FYI in case these are the same thing.
 

Members online

No members online now.

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,529
Messages
138,606
Members
14,650
Latest member
hemazoher