If you’re a user of Asterisk® and FreePBX®, the DEFCON 31 Conference in Las Vegas did not disappoint this year. It exposed not one but three critical, unpatched vulnerabilities in affected FreePBX-based platforms that can compromise your servers in under a minute. I would hasten to add that all of these vulnerabilities were disclosed to Sangoma® months ago and remain unaddressed for months. What this meant was a hacker could easily get administrator privileges on your server with a blank check to make free calls on your nickel or further infect your server with additional hidden components.
How Vulnerable Are You? Here’s a quick summary of the bugs documented in the presentation above. If you expose a port on your server to configure SIP phones, you’re compromised. If your users have public IP access to the User Control Panel (UCP), you’re compromised. Any user can delete any asterisk-owned file from your server. Use a Digium® or Sangoma® VoIP phone? You’re compromised. Actually, all you need is the MAC address of one of these phones and its password login and the User-Agent header of any Digium Phone (Digium D60 2_7_0), and you’re compromised if the dphone API RestApp is running on your server. Are you running the API module in FreePBX with public IP address access to your server? You’re compromised because of a bug in the generateDocumentation function. These are classic command injection and authentication bypass issues in FreePBX that can even be triggered from the bad guys’ servers using generated access tokens.
Sangoma, Sangoma. Wherefore Art Thou? You can read all about Sangoma’s Bug Bounty Program here. It was conveniently deleted immediately after this zero-day vulnerability was reported. We’ve reproduced the page from the Wayback Machine. So what happened? According to the good pseudonym researcher, not much. Aside from an initial response indicating that the bugs had been addressed, there was never a follow-up response when the researcher advised that the patches did not work.
What Can You Do? Your safest bet is to switch to a security model that does not expose your server or its assets to the public Internet. Incredible PBX is an out-of-the-box platform that provides this security. It’s available for Rocky 8 (not recommended), Debian 11, Ubuntu 22.04 as well as virtualization platforms including VirtualBox, VMware, Proxmox, Windows WSLg, LXC Linux Containers, and Apple’s UTM platform. OpenVPN is also strongly recommended.
At the very minimum, put your server behind a hardware-based firewall with no public Internet exposure until these bugs are properly resolved. You’ve been warned!
Follow updated comments on this issue on the FreePBX Forum and the VoIP-info.org Forum.
Originally published: Sunday, September 17, 2023 Updated: October 13, 2023
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
On September 1, Skyetel informs their customers they have 30 days to Get Out before a $25/monthly minimum charge goes into effect and now this. Pure joy for admins.
Sangoma finally blinks… or at least winks.
https://www.freepbx.org/freepbx-security-issue-sec-2023-001/