ALERT FreePBX RCE Vulnerability - CRITICAL (ALL Versions)

Discussion in 'Bug Reporting and Fixes' started by Chris Sweeney, Oct 1, 2014.

  1. Chris Sweeney

    Joined:
    May 23, 2013
    Messages:
    223
    Likes Received:
    28
    freepbx.org/node/92822 <--read full text here

    We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.
    This exploit allows users to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which may then be used to grant the attacker full remote code execution access as the user running the Apache process.
    We have released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12 per our security policy which covers releases that have come out over the last 3.5 years. Versions 2.8 and prior can be easily updated to 2.9 or higher through Module Admin which will remove the vulnerability. Versions 2.11 and 12 are the only officially supported versions of FreePBX but we always apply security patches to the two prior versions as well.

    Users prior to FreePBX 12 should update immediately.
    FreePBX 12 users should disable and uninstall the legacy FreePBX ARI Framework module and switch to the new User Control Panel, which is not to be confused with the previous ‘User Control Panel Tab’.
    Please note that indications of a compromised system include the presence of an “System Admin Dashboard” also called “admindashboard” module, the files c2.pl and/or c.sh.
     
  2. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    Thanks, Chris Sweeney!

    A more accurate summary of the problem would be the following:

    "This exploit allows users to bypass [FreePBX] authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present."

    We obviously recommend that everyone update FreePBX immediately! Having said that, this vulnerability should pose little risk to PBX in a Flash and Incredible PBX servers (only!). PBX in a Flash requires Apache's maint password to access ARI or any of its underlying code. In fact, it was a previous ARI vulnerability that prompted us to migrate from FreePBX security to Apache security years ago. The newer, stand-alone Incredible PBX implementations employ FreePBX security AND also require IPtables WhiteList permissions to access ARI or anything else on Incredible PBX servers.

    PBX in a Flash servers with /etc/pbx/httpdconf/ari.conf in place should return the following. Be sure to test it with a browser that does not have your Apache maint credentials cached!

    [​IMG]

    For the history of this (latest) vulnerability, see the FreePBX forum thread (now closed) from several days ago in which this security issue in the FreePBX Distro ("ISO from official site") was raised by more than one user. Also note that port 80 was directly exposed to the Internet, a setup we have long since abandoned without a firewall WhiteList in place to protect the server.

    [Edit] ARI update has been pushed out to all Incredible PBX systems. Log in again as root to get it.
     
  3. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    WARNING: After updating all of the new FreePBX modules, we have noticed on some Ubuntu/Debian servers (e.g. CuBox) that FreePBX cannot be reloaded by clicking the red Apply Config button. You'll see an error such as the following:

    [FATAL] Unable to connect to Asterisk Manager

    The solution is to issue the following commands from the Linux CLI after logging into your server as root:
    Code:
    sed -i 's|localhost|127.0.0.1|' /etc/freepbx.conf
    amportal restart
    amportal a r
    
     
  4. markd89

    markd89 Member

    Joined:
    Sep 3, 2013
    Messages:
    40
    Likes Received:
    1
    Ward, what's the recommended procedure to do these updates?

    Thanks,
    Mark
     
  5. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    On Incredible PBX servers, it's automatic when you log in again as root.

    Otherwise...

    FreePBX -> Module Admin -> Check Online -> Upgrade All -> Process -> Apply Config

    If you get an error when you click Apply Config, then follow the steps above to resolve it.
     
    TriStarGod and markd89 like this.
  6. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
  7. MacNix

    MacNix Guru

    Joined:
    Jun 21, 2011
    Messages:
    197
    Likes Received:
    30
    so, just to clarify, please confirm:

    My machine is protected if:
    if i'm on FreePBX 12 & up​
    or​
    I'm on Piaf with any flavor of FreePBX​


    Is that correct??

     
  8. LesD

    LesD Member

    Joined:
    Nov 8, 2009
    Messages:
    408
    Likes Received:
    15
    My conclusion from what Ward wrote is you are OK if

    1. You are on 12 as a new install - did not upgrade from 11.

    2. Upgraded from 11 and removed the old ARI module

    Even though PIAF should not be vulnerable, the advice still seems to be to follow the above.
     
  9. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    At the very minimum, you should run the following commands to protect your servers:
    Code:
    rm -rf AMPWEBROOT/admin/modules/admindashboard
    amportal a ma upgrade fw_ari
     
  10. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    Chris Sweeney likes this.
  11. mainenotarynet

    mainenotarynet Not really a Guru - Just a long time user

    Joined:
    May 29, 2010
    Messages:
    590
    Likes Received:
    68
    My system - PiaF-Green - IncrediblePBX/Fax has a file

    bootstrap.php but NOT bootstrap.inc.php

    Just FYI in case these are the same thing.
     
  12. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
  13. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512