ALERT Security Hole in Dial Plan

john p

Member
Joined
Jul 9, 2013
Messages
82
Reaction score
6
When I looked at my system (Incredible PBX 3.11.9, FreePBX 2.11.0.35), the external call transfer was not enabled & I don't think I ever changed it (As I understand the link the Asterisk dial options field in Settings>Advanced needs a "T" to enable calling transfer. In a test call, the external caller transfer request was ignored but transfer by the internal called line worked as expected.

My settings as current (YMMV)
Asterisk Dial Options? tr
Asterisk Outbound Trunk Dial Options?(blank)

Hope this helps!
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
For the non-pioneers that would prefer to just remove the T flag from the dial option defaults (Ttr) and both flags from the trunk (Tt) defaults and fix the problem, here's the code to do it from the Linux command line. Won't hurt anything to apply the patch whether you need it or not. Also won't hurt anything to apply the patch more than once.
Code:
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a r

We will push this out as a security update to all Incredible PBX servers.
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
For the non-pioneers that would prefer to just remove the T option from the dial (Ttr) and trunk (Tt) options and fix the problem, here's the code to do it from the Linux command line. Won't hurt anything to apply the patch whether you need it or not. Also won't hurt anything to apply the patch more than once.
Code:
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a r

We will push this out as a security update to all Incredible PBX servers.
Do not rush this out as an auto-patch. It will break expected functionality for some. Wait for the code patch to become official and update the appropriate modules.

For outbound especially, there are many follow-me type situations where one wants/expects transfer capability. For internal calls, as @billsimon points out in the freepbx forum, this impacts internal extension to extension calls as well.

I've never liked the defaults, but anyone surprised by this has never RTFM (or RTFTT). It works and behaves EXACTLY as documented.

The biggest concern is the freepbx folks seem surprised by this.
 
Last edited by a moderator:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
@jerrm Thanks for your comments. You're certainly correct for the follow-me situations, but I've got to believe that is the exception, rather than the rule. Anyone can always reconfigure the T option if needed. Now that we know the vulnerability is being exploited and because of the very real financial risk, I think, applying the patch immediately and responding to questions later is warranted.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
I have removed the previous attempt to patch dialparties.agi in FreePBX 12 now that Andrew has indicated (in his usually charming way) that it won't work.

For the record, we never suggested the patch would "fix" the problem with FreePBX 12. We recommended that pioneers (only) test the patch to determine if it would fix the problem. Removing the T entries will fix this problem but may cause others. Once a Core update for FreePBX 12 is released and tested, we will push out the permanent fix.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
Perhaps our resident Lurker will report back our appreciation and kind words about the prompt efforts of the FreePBX Dev Team to address the problem...

 
Last edited:

Dan Lawrence

Member
Joined
Jan 4, 2008
Messages
47
Reaction score
9
Just confirming I found my PIAF 3.0.6.6 system was vulnerable to this "attack". Issuing the above changes via mysql closed the hole.

For reference...
Code:
PIAF Installed Version   = 3.0.6.6
FreePBX Version          = 2.11.0.43
Running Asterisk Version = 11.16.0
Asterisk Source Version  = 11.16.0
Zap/Dahdi Source Version = N/A
Libpri Source Version    = 1.4.15
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
Please note that we have updated the patch above in light of a comment on DSL Reports which noted:
CgGhQwWWwAE5M-E.jpg
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
More info. This IS a mess. For TRUNK_OPTIONS, what most will want is NONE, but leaving it blank = BOTH. So stay tuned!
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,604
Reaction score
822
s(n) is a good non default option and has some other advantages.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,604
Reaction score
822
'i' perhaps disruptive of the FreePBX dialplan, I use the s(n) to limit some of those 800 call-in bs that never get to voicemail and it's inbuilt time limits. Needs tuning to suit what you think is a long call of course. Think of it a s non-global timeout() equivalent
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
'i' perhaps disruptive of the FreePBX dialplan, I use the s(n) to limit some of those 800 call-in bs that never get to voicemail and it's inbuilt time limits. Needs tuning to suit what you think is a long call of course. Think of it a s non-global timeout() equivalent

The question becomes how to make it pseudo-generic as a default??
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,604
Reaction score
822
I would try in extensions_additional.conf override the generic DIAL_OPTIONS


[globals](+)
DIAL_OPTIONS = whatever
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
The question becomes how to make it pseudo-generic as a default??
What's wrong with blank? I don't interpret the tooltip to mean blank=Tt, only that blank is a valid option. Quick testing shows that blank does not allow DTMF transfers from either side, which I think is the behavior you want.

"TRUNK_OPTIONS = " in extensions_additional.conf is set to whatever is displayed in GUI field. "Tt" is not inserted if the field is blank. "Tt" is not found anywhere in my /etc/asterisk/* if the field is blank.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,159
Reaction score
5,192
Andrew Nagy now has confirmed that the correct setting for TRUNK_OPTIONS should be blank. So here's the correct patch. This will have to be manually applied on PIAF servers, and you should get an automatic update (maybe 3 of them if you're one of the "lucky" ones) on Incredible PBX servers:
Code:
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a r
 
Last edited:

jeff.h

Guru
Joined
Dec 1, 2010
Messages
502
Reaction score
71
I assume this was updates 719, 720 and 721 Outbound security patch, #2 and #3? I got them on all 4 of my PBXes over the weekend.
 

hecatae

resident hecatae
Joined
Feb 7, 2014
Messages
759
Reaction score
199
@wardmundy are incrediblepbx elastix 2.5 and elastix 4.0 patched as well?
 
Last edited:

Members online

Forum statistics

Threads
25,770
Messages
167,441
Members
19,181
Latest member
ejrubin
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top