ALERT FreePBX Vulnerability

tycho

Guru (not...)
Joined
Aug 9, 2011
Messages
602
Reaction score
235
I have an IncrediblePBX installation that displays "Incredible PBX 13.0.192.19" in "System Overview" on the dashboard.

XRobau says that the "vulnerability is fixed in: 13.0.197.14" and to "make sure that your FreePBX is updated to the latest versions (fwconsole ma upgradeall) of everything."

The response from my Linux command line when invoking fwconsole ma upgradeall is:

Code:
No repos specified, using: [standard,unsupported,extended] from last GUI settings

Up to date.
Updating Hooks...Done
I had thought that the IncrediblePBX naming/numbering nomenclature matched that of the underlying FreePBX GPL structure. If so, it would seem that my system is not in fact updated to a version where the vulnerability is fixed.

Do I need to specify a repo? If so, what?

Or, is the vulnerability specific to an element/module of the FreePBX-specific GUI that is not present in IncrediblePBX?

***edit to add***

Even more confusingly, the status splash screen on startup of this install reflects "13.0.120.10"
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,401
Reaction score
2,731
MAKE A BACKUP FIRST!!! The script below will upgrade all of your FreePBX modules to the latest and greatest...

Code:
cd /root
wget http://incrediblepbx.com/freepbx-update.tar.gz
tar zxvf freepbx-update.tar.gz
rm -f freepbx-update.tar.gz
./freepbx-update
FYI: My understanding is this is a vulnerability in the web GUI so... if your PBX does not expose HTTP access to the world, you're not affected unless you have bad guys inhabiting your private network. We will leave our PUBLIC honeypots unpatched (with HTTP not exposed) and will alert you if a server is compromised.

NOTE: As delivered, no Incredible PBX servers (TM3-protected or PUBLIC) expose HTTP access other than through whitelisted IP addresses.

Framework version check: fwconsole ma list | grep framework
 
Last edited:
  • Like
Reactions: tycho

markd89

Member
Joined
Sep 3, 2013
Messages
73
Reaction score
3
MAKE A BACKUP FIRST!!! The script below will upgrade all of your FreePBX modules to the latest and greatest...

Code:
cd /root
wget http://incrediblepbx.com/freepbx-update.tar.gz
tar zxvf freepbx-update.tar.gz
rm -f freepbx-update.tar.gz
./freepbx-update
FYI: My understanding is this is a vulnerability in the web GUI so... if your PBX does not expose HTTP access to the world, you're not affected. We will leave our PUBLIC honeypots unpatched (with HTTP not exposed) and will alert you if a server is compromised.

NOTE: As delivered, no Incredible PBX servers (TM3-protected or PUBLIC) expose HTTP access other than through whitelisted IP addresses.

Framework version check: fwconsole ma list | grep framework
Are these steps good for 15.x as well?
 

tycho

Guru (not...)
Joined
Aug 9, 2011
Messages
602
Reaction score
235
All went well:

Code:
| framework         | 13.0.197.14 | Enabled | GPLv2+  |
I don't have a public facing, non-whitelisted-IP installation, so I was presumably OK, but still...

Thanks.
 
  • Like
Reactions: wardmundy
Joined
Oct 5, 2010
Messages
185
Reaction score
36
Location
Hilton Head Island, South Carolina
MAKE A BACKUP FIRST!!! The script below will upgrade all of your FreePBX modules to the latest and greatest...

Code:
cd /root
wget http://incrediblepbx.com/freepbx-update.tar.gz
tar zxvf freepbx-update.tar.gz
rm -f freepbx-update.tar.gz
./freepbx-update
FYI: My understanding is this is a vulnerability in the web GUI so... if your PBX does not expose HTTP access to the world, you're not affected. We will leave our PUBLIC honeypots unpatched (with HTTP not exposed) and will alert you if a server is compromised.

NOTE: As delivered, no Incredible PBX servers (TM3-protected or PUBLIC) expose HTTP access other than through whitelisted IP addresses.

Framework version check: fwconsole ma list | grep framework

@wardmundy once you run your scripts to update to the latest versions, a best practice would be to clear out your existing sessions as well and force all of your administrators to log back in. If a user had their firewall turned off, or potentially compromised from an internal or external trusted network IP (It happens) this will close out those active sessions.

rm -f /var/lib/php/session/*
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,401
Reaction score
2,731
Nearly had a heart attack when the actual attack vector was posted. So now you know why we NEVER EVER publicly expose port 80 with Incredible PBX.

Thanks, @reconwireless. Added to script above.
 
Last edited:

tbrummell

Guru
Joined
Jan 8, 2011
Messages
698
Reaction score
93
Location
Ottawa, Canada
Well, that was easy. Just exploited it in my lab on a couple of servers. You don't even need to be a coder to do it. LoL Just a simple URL.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
547
Reaction score
236
Silver lining - this forced an update of the 15.0-latest tarball. The changes needed to install with php 7.3 are now in place.

Installing is not necessarily the same as fully functional. 7.3 is not officially supported yet, but all I've tested seems to work.

Many thanks to @billsimon. He did most of the heavy lifting filing the bug reports (usually with the needed fixes) to get to this point.

EDIT: Just to be clear, I didn't do anything other than test an install this morning. Re-reading the post I was afraid it might imply I had actually done something productive - I did not.
 
Last edited:
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,401
Reaction score
2,731
We've pushed out an update to Incredible PBX 16-15 systems running on the Raspberry Pi.
 

progs_00

Active Member
Joined
Jan 6, 2014
Messages
101
Reaction score
26
I'm on IPX 13.13.1. Just updated the 4 modules that were set as vulnerable (didn't need as the machine does not have a public ip, yet...). Now I get the a Security issue you have xx tampered files. I believe it's the "open-source" signature havoc created by FreePBX. Am I right? Can I remove this red messagebox from my GUI?
Also there's a bunch of other modules that have updates. Can I update them or is it better not to?

Thanks

What the...? A simple refresh after clicking the close button has made everything disappear. Is this expected behavior?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,401
Reaction score
2,731
@progs_00 Run /root/sig-fix to address the module signatures. Updating other modules is up to you. We haven't found any deal-breakers in the other updates.
 

Members online

No members online now.

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,560
Messages
138,866
Members
14,669
Latest member
cleron