ALERT Security Hole in Dial Plan

john p

Member
Joined
Jul 9, 2013
Messages
73
Reaction score
5
When I looked at my system (Incredible PBX 3.11.9, FreePBX 2.11.0.35), the external call transfer was not enabled & I don't think I ever changed it (As I understand the link the Asterisk dial options field in Settings>Advanced needs a "T" to enable calling transfer. In a test call, the external caller transfer request was ignored but transfer by the internal called line worked as expected.

My settings as current (YMMV)
Asterisk Dial Options? tr
Asterisk Outbound Trunk Dial Options?(blank)

Hope this helps!
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,404
Reaction score
2,734
For the non-pioneers that would prefer to just remove the T flag from the dial option defaults (Ttr) and both flags from the trunk (Tt) defaults and fix the problem, here's the code to do it from the Linux command line. Won't hurt anything to apply the patch whether you need it or not. Also won't hurt anything to apply the patch more than once.
Code:
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a r
We will push this out as a security update to all Incredible PBX servers.
 
Last edited:
  • Like
Reactions: krzykat

jerrm

Guru
Joined
Sep 23, 2015
Messages
547
Reaction score
236
For the non-pioneers that would prefer to just remove the T option from the dial (Ttr) and trunk (Tt) options and fix the problem, here's the code to do it from the Linux command line. Won't hurt anything to apply the patch whether you need it or not. Also won't hurt anything to apply the patch more than once.
Code:
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a r
We will push this out as a security update to all Incredible PBX servers.
Do not rush this out as an auto-patch. It will break expected functionality for some. Wait for the code patch to become official and update the appropriate modules.

For outbound especially, there are many follow-me type situations where one wants/expects transfer capability. For internal calls, as @billsimon points out in the freepbx forum, this impacts internal extension to extension calls as well.

I've never liked the defaults, but anyone surprised by this has never RTFM (or RTFTT). It works and behaves EXACTLY as documented.

The biggest concern is the freepbx folks seem surprised by this.
 
Last edited by a moderator:
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,404
Reaction score
2,734
@jerrm Thanks for your comments. You're certainly correct for the follow-me situations, but I've got to believe that is the exception, rather than the rule. Anyone can always reconfigure the T option if needed. Now that we know the vulnerability is being exploited and because of the very real financial risk, I think, applying the patch immediately and responding to questions later is warranted.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,404
Reaction score
2,734
I have removed the previous attempt to patch dialparties.agi in FreePBX 12 now that Andrew has indicated (in his usually charming way) that it won't work.

For the record, we never suggested the patch would "fix" the problem with FreePBX 12. We recommended that pioneers (only) test the patch to determine if it would fix the problem. Removing the T entries will fix this problem but may cause others. Once a Core update for FreePBX 12 is released and tested, we will push out the permanent fix.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,404
Reaction score
2,734
Perhaps our resident Lurker will report back our appreciation and kind words about the prompt efforts of the FreePBX Dev Team to address the problem...

 
Last edited:

Dan Lawrence

Member
Joined
Jan 4, 2008
Messages
44
Reaction score
7
Location
Seattle, WA
Just confirming I found my PIAF 3.0.6.6 system was vulnerable to this "attack". Issuing the above changes via mysql closed the hole.

For reference...
Code:
PIAF Installed Version   = 3.0.6.6
FreePBX Version          = 2.11.0.43
Running Asterisk Version = 11.16.0
Asterisk Source Version  = 11.16.0
Zap/Dahdi Source Version = N/A
Libpri Source Version    = 1.4.15
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,404
Reaction score
2,734
Please note that we have updated the patch above in light of a comment on DSL Reports which noted:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,404
Reaction score
2,734
More info. This IS a mess. For TRUNK_OPTIONS, what most will want is NONE, but leaving it blank = BOTH. So stay tuned!
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
677
Reaction score
252
s(n) is a good non default option and has some other advantages.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
677
Reaction score
252
'i' perhaps disruptive of the FreePBX dialplan, I use the s(n) to limit some of those 800 call-in bs that never get to voicemail and it's inbuilt time limits. Needs tuning to suit what you think is a long call of course. Think of it a s non-global timeout() equivalent
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,404
Reaction score
2,734
'i' perhaps disruptive of the FreePBX dialplan, I use the s(n) to limit some of those 800 call-in bs that never get to voicemail and it's inbuilt time limits. Needs tuning to suit what you think is a long call of course. Think of it a s non-global timeout() equivalent
The question becomes how to make it pseudo-generic as a default??
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
677
Reaction score
252
I would try in extensions_additional.conf override the generic DIAL_OPTIONS


[globals](+)
DIAL_OPTIONS = whatever
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
547
Reaction score
236
The question becomes how to make it pseudo-generic as a default??
What's wrong with blank? I don't interpret the tooltip to mean blank=Tt, only that blank is a valid option. Quick testing shows that blank does not allow DTMF transfers from either side, which I think is the behavior you want.

"TRUNK_OPTIONS = " in extensions_additional.conf is set to whatever is displayed in GUI field. "Tt" is not inserted if the field is blank. "Tt" is not found anywhere in my /etc/asterisk/* if the field is blank.
 
Last edited:
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,404
Reaction score
2,734
Andrew Nagy now has confirmed that the correct setting for TRUNK_OPTIONS should be blank. So here's the correct patch. This will have to be manually applied on PIAF servers, and you should get an automatic update (maybe 3 of them if you're one of the "lucky" ones) on Incredible PBX servers:
Code:
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a r
 
Last edited:

jeff.h

Guru
Joined
Dec 1, 2010
Messages
482
Reaction score
70
I assume this was updates 719, 720 and 721 Outbound security patch, #2 and #3? I got them on all 4 of my PBXes over the weekend.
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,562
Messages
138,878
Members
14,670
Latest member
turanmustafa