ALERT FreePBX Vulnerability

tycho

Guru (not...)
Joined
Aug 9, 2011
Messages
652
Reaction score
272
I have an IncrediblePBX installation that displays "Incredible PBX 13.0.192.19" in "System Overview" on the dashboard.

XRobau says that the "vulnerability is fixed in: 13.0.197.14" and to "make sure that your FreePBX is updated to the latest versions (fwconsole ma upgradeall) of everything."

The response from my Linux command line when invoking fwconsole ma upgradeall is:

Code:
No repos specified, using: [standard,unsupported,extended] from last GUI settings

Up to date.
Updating Hooks...Done

I had thought that the IncrediblePBX naming/numbering nomenclature matched that of the underlying FreePBX GPL structure. If so, it would seem that my system is not in fact updated to a version where the vulnerability is fixed.

Do I need to specify a repo? If so, what?

Or, is the vulnerability specific to an element/module of the FreePBX-specific GUI that is not present in IncrediblePBX?

***edit to add***

Even more confusingly, the status splash screen on startup of this install reflects "13.0.120.10"
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
MAKE A BACKUP FIRST!!! The script below will upgrade all of your FreePBX modules to the latest and greatest...

Code:
cd /root
wget http://incrediblepbx.com/freepbx-update.tar.gz
tar zxvf freepbx-update.tar.gz
rm -f freepbx-update.tar.gz
./freepbx-update

FYI: My understanding is this is a vulnerability in the web GUI so... if your PBX does not expose HTTP access to the world, you're not affected unless you have bad guys inhabiting your private network. We will leave our PUBLIC honeypots unpatched (with HTTP not exposed) and will alert you if a server is compromised.

NOTE: As delivered, no Incredible PBX servers (TM3-protected or PUBLIC) expose HTTP access other than through whitelisted IP addresses.

Framework version check: fwconsole ma list | grep framework
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
EJ18vsPWwAEePe3
 

markd89

Member
Joined
Sep 3, 2013
Messages
97
Reaction score
9
MAKE A BACKUP FIRST!!! The script below will upgrade all of your FreePBX modules to the latest and greatest...

Code:
cd /root
wget http://incrediblepbx.com/freepbx-update.tar.gz
tar zxvf freepbx-update.tar.gz
rm -f freepbx-update.tar.gz
./freepbx-update

FYI: My understanding is this is a vulnerability in the web GUI so... if your PBX does not expose HTTP access to the world, you're not affected. We will leave our PUBLIC honeypots unpatched (with HTTP not exposed) and will alert you if a server is compromised.

NOTE: As delivered, no Incredible PBX servers (TM3-protected or PUBLIC) expose HTTP access other than through whitelisted IP addresses.

Framework version check: fwconsole ma list | grep framework

Are these steps good for 15.x as well?
 

tycho

Guru (not...)
Joined
Aug 9, 2011
Messages
652
Reaction score
272
All went well:

Code:
| framework         | 13.0.197.14 | Enabled | GPLv2+  |

I don't have a public facing, non-whitelisted-IP installation, so I was presumably OK, but still...

Thanks.
 
Joined
Oct 5, 2010
Messages
188
Reaction score
38
MAKE A BACKUP FIRST!!! The script below will upgrade all of your FreePBX modules to the latest and greatest...

Code:
cd /root
wget http://incrediblepbx.com/freepbx-update.tar.gz
tar zxvf freepbx-update.tar.gz
rm -f freepbx-update.tar.gz
./freepbx-update

FYI: My understanding is this is a vulnerability in the web GUI so... if your PBX does not expose HTTP access to the world, you're not affected. We will leave our PUBLIC honeypots unpatched (with HTTP not exposed) and will alert you if a server is compromised.

NOTE: As delivered, no Incredible PBX servers (TM3-protected or PUBLIC) expose HTTP access other than through whitelisted IP addresses.

Framework version check: fwconsole ma list | grep framework


@wardmundy once you run your scripts to update to the latest versions, a best practice would be to clear out your existing sessions as well and force all of your administrators to log back in. If a user had their firewall turned off, or potentially compromised from an internal or external trusted network IP (It happens) this will close out those active sessions.

rm -f /var/lib/php/session/*
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Nearly had a heart attack when the actual attack vector was posted. So now you know why we NEVER EVER publicly expose port 80 with Incredible PBX.

Thanks, @reconwireless. Added to script above.
 
Last edited:

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
Well, that was easy. Just exploited it in my lab on a couple of servers. You don't even need to be a coder to do it. LoL Just a simple URL.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Silver lining - this forced an update of the 15.0-latest tarball. The changes needed to install with php 7.3 are now in place.

Installing is not necessarily the same as fully functional. 7.3 is not officially supported yet, but all I've tested seems to work.

Many thanks to @billsimon. He did most of the heavy lifting filing the bug reports (usually with the needed fixes) to get to this point.

EDIT: Just to be clear, I didn't do anything other than test an install this morning. Re-reading the post I was afraid it might imply I had actually done something productive - I did not.
 
Last edited:

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
It looks like pastbin have removed the attack vector page. :confused:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
We've pushed out an update to Incredible PBX 16-15 systems running on the Raspberry Pi.
 

progs_00

Active Member
Joined
Jan 6, 2014
Messages
132
Reaction score
37
I'm on IPX 13.13.1. Just updated the 4 modules that were set as vulnerable (didn't need as the machine does not have a public ip, yet...). Now I get the a Security issue you have xx tampered files. I believe it's the "open-source" signature havoc created by FreePBX. Am I right? Can I remove this red messagebox from my GUI?
Also there's a bunch of other modules that have updates. Can I update them or is it better not to?

Thanks

What the...? A simple refresh after clicking the close button has made everything disappear. Is this expected behavior?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@progs_00 Run /root/sig-fix to address the module signatures. Updating other modules is up to you. We haven't found any deal-breakers in the other updates.
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top