Security Concerns, 2.11 Updates and Expiring Early Bird Specials

We continue to make progress playing with the various technology efforts that we have planned for 2.11, mentioned in the [url=/news/2012-03-13/what-are-we-thinking-about-for-2-11]last blog post.[/url] While at it we also continue to plug the miscellaneous bugs that always surface after a final release, and just in general. For as much as we changed in 2.10, it’s been pretty smooth sailing! In addition to updating you on the 2.11 efforts, we’ll update you on a recent Security Vulnerability that has been addressed and some thoughts it provoked on the subject. Lastly, if you’re thinking about OTTS, the [url=/open-telephony-training-seminar-register]Early Bird Special expires Saturday[/url] so don’t procrastinate too long if you would like to save a few hundred dollars!

First, a quick word on the Security issue since that usually peeks people’s interests. There were a couple threads in the forums about a security report that included a handful of XSS (Cross Site Scripting) vulnerabilities and one RCE (Remote Command Execution) one. First of all, if you have all your modules up-to-date then you are safe from these specific vulnerabilities as they have been addressed. All but one of the XSS ones had already been removed in 2.10 already. Our standard policy is to fix the currently supported releases (2.9 and 2.10) as well as the previous two releases though in this case I pushed the fixes back to 2.6.

A few words on the RCE vulnerability. This was a breach that would allow an attacker to penetrate your system and run any arbitrary Linux command. In most installations, including the FreePBX Distro, this means that they could get access to any command that user asterisk has privileges to run thus allowing significant damage to be done. Some Distros, such as trixbox systems (for those of you still running trixbox) and Elastix, allow user asterisk to [i]sudo[/i] (change) to root for some commands and as such, the exploit could get access to the root user. Whether penetrated as the asterisk user or the root user, both are very bad though as root even more damage can be done. I will stress that a system properly protected such that http access is not allowed without a secure VPN was not at risk from the internet, though still vulnerable from a malicious user with local access. (Technically, one could do an XSS style attack to trick a local user into triggering the RCE vulnerability as well.) This issue has been fixed, but the potential for damage is again echoed that allowing http access poses significant risk. Though now fixed, there are certainly other dormant vulnerabilities not yet discovered so think twice before exposing http access outside of VPN protection.

If you go to Module Admin, or have it run automatically, you will have seen (or will see if you haven’t done it yet) that there are module updates available and if you review the changelogs for the modules, you will see references to this recent security issue. If you are happy just updating all your modules, which is usually a fairly safe thing to do, then you are covered. However, this got us thinking of ways that we might help to better bring to your attention any critical updates that are necessary to address known vulnerabilities. The FreePBX notification systems currently has the ability to post very visible security updates in the panel, and in the case where you have provided an email address to be notified of module updates, it will also send an email notifying you of these issues. What we are looking at doing in 2.11 is adding additional information to the Module Admin XML data that get’s retrieved when that would allow your PBX to do an analysis of your current module versions and properly warn you through these mechanisms if it detects that you have vulnerable versions of any modules known to be fixed. This would provide those of you more cautious in applying updates with prompt warnings without having to actively dig through all the module changelogs each time one is published.

Security aside, back to looking forward. One of the areas discussed is the CEL (Call Event Logging) subsystem in Asterisk. I’ve been playing around with this a bit and it does provide for some interesting and very voluminous data if you enable all the events that Asterisk has to offer, and that doesn’t include any user defined events which we will be sure to add into FreePBX. It’s still very early so we’ve only started playing with the technology. Some of the current talk for initial introduction is to simply allow for any current CDR record to be clicked and by doing such, you will receive the full set of CEL records that make up that call. In some cases, there can be multiple CDR records that are all from a single call. In those cases, regardless of which of those you clicked on, you would still receive the full CEL thread related to that single call. At this point we’ve determined how to obtain that full list consistently. What’s left are many more decisions to be made from how to best log the transactions, which events to log, which fields to log, how to best present the data and more. The main goal for this release is going to be getting this exposed. Once exposed and easily configured in FreePBX, more ideas from you and great third party tools are sure to follow.

The User Portal efforts headed up by Schmooze Com, Inc is also quite in it’s infancy. At this point the things we are running into this early in the game are flushing out some of those dark and aging areas inside of FreePBX that are well due to be replaced in order to further facilitate the new work we want to do. This has always been referred to as the various ‘internal plumbing’ that over time we continue to replace; something that is usually not very visible to the end user but critical and necessary to assure FreePBX continues to be the great product that we are all so happy with.

I did not sync up with Ward before writing this blog to determine if any progress has been made on the XMPP enabled “remote hints” that I mentioned in the last blog post. Hopefully we’ll know if work has been done in that space next time we have some updates!

As a quick reminder, the next [url=/open-telephony-training-seminar]Open Telephony Training Seminar[/url] is quickly approaching and with the [url=/open-telephony-training-seminar-register]Early Bird Special[/url] ending Saturday, March 31st, now’s the time to save yourselves a few hundred dollars and make sure you have an opportunity be part of our upcoming training!

[b]Philippe[/b] – On Behalf of the FreePBX Team!

What are we thinking about for 2.11

With 2.10 finalized and humming along on thousands of systems, it’s time to start deciding what to do for the next release. With the current trend of double digit release numbers, maybe we should name it 11 instead of 2.11? If you have an opinion feel free to express it but for now let’s discuss more interesting topics, like what should be in it!! Some of us developers got on a phone conference last week to start this dialog. We’ve got some ideas which I’ll express next but as always we want to hear from you!

For starters, our general consensus was to target the next Astricon for a release timeframe. Astricon is held annually towards the end of October, so that gives us about 7 months from now. We kept the discussion at a high level with the expectation to summarize here and begin to get your feedback on things to work on. From an Asterisk perspective, we will support the current LTR (Long Term Release) of Asterisk 1.8, plus 10 and 11 which will be the next LTR due out about that time also.

One big change in Asterisk 10 is the rewrite of the [i]ConfBridge[/i] application. MeetMe has been the [i]”primary”[/i] conferencing application prior to 10 but has some problematic requirements which also keep it form handling wide band codecs. The Asterisk team rewrote what looks to be an awesome new version of the ConfBridge application which has so much flexibility and power that it deserves a complete rewrite of our conferencing module in FreePBX! In order to get some early exposure to the new ConfBridge, we’ll add support in the current Conferencing Module for FreePBX 2.10, but the real flexibility won’t come until the module get’s rewritten!

The biggest undertaking for 2.11 is to finally replace the User Portal (ARI – Asterisk Recording Interface) with a new and modern version that is written from the ground up. Schmooze Com, Inc has stepped up to the plate with the current intention of leading up this effort and providing significant contributions to the rewrite.This will be an ambitious undertaking and we are very excited that it is en-route to becoming a reality!

Another technology we discussed investigating is the ability to remotely monitor [i]ExtensionState[/i] information (Asterisk [i]”hints”[/i]) between two or more PBX systems. This underlying technology uses XMPP as its transport mechanism and requires an outside XMPP server to configure and run. Potential applications range from BLF enabled buttons that monitor remote extensions at another branch, to ExtensionState information about remote queue members being available to the local queue, to separate Voicemail Servers with MWI information available locally and more. Our starting point will be an investigation and then explore what we might do to take advantage of it. Ward (from Nerd Vittles) indicated some interest in getting a test bed up and going but if anyone else out there wants to join the party and help with the effort you would be more than welcome!

We’ve also started exploring the Call Event Logging (CEL) infrastructure added to Asterisk 1.8. The CEL is an event based subsystem with the focus of comprehensive [i]”billing”[/i] systems in mind. Today, we have the CDR records that form the basis of our call reports. These have some use but a lot of limitations and can often be difficult to read. What becomes particularly hard is to try and track a complex call that may go through various stages such as attended and blind transfers, call pickups, parking and more. With CEL, you will get MANY more events from a given call, but it’s possible to process those events in such a way that we can group all information related to a single call which becomes quite useful for someone trying to bill for or otherwise account for a full call flow. The CEL subsystem is quite flexible so there are a lot of possibilities available. We expect 2.11 will be just the beginning!

There was some additional discussion including what level of support we should or even could provide to Google Voice if a developer were able to commit to keeping after it, as well as CallerID Superfecta which currently is not at all in our control as it is not even housed in any of our repositories. For the most part though, we were looking at the above “bigger” technologies we want to play with and hopefully introduce and then come here to start asking you to throw out your ideas. We will be digging through the feature request tickets as is always the case but your comments are very welcome here so please feel free to fire away!

As a quick side note, May is approaching faster then expected, as well as the end of March deadline for Early Bird Pricing on the upcoming [url=/open-telephony-training-seminar]OTTS training coming to Minneapolis, MN[/url] so if that’s something you are considering don’t procrastinate too long and miss out on the savings! Signups have already started and the last two events ended up selling out so make sure to reserve your spot!

For now, let us know what your ideas are for the next FreePBX release!

[b]Philippe[/b] – On Behalf of the FreePBX Team!