Critical FreePBX RCE Vulnerability (ALL Versions)

CVE: 2014-7235
Date: 2014-09-30
Author: James Finstrom
Ticket: http://issues.freepbx.org/browse/FREEPBX-8070


We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.

This exploit allows users to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which may then be used to grant the attacker full remote code execution access as the user running the Apache process.
We have released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12 per our security policy which covers releases that have come out over the last 3.5 years. Versions 2.8 and prior can be easily updated to 2.9 or higher through Module Admin which will remove the vulnerability. Versions 2.11 and 12 are the only officially supported versions of FreePBX but we always apply security patches to the two prior versions as well.

Users prior to FreePBX 12 should update FreePBX ARI Framework to version 2.11.1.5 immediately.

FreePBX 12 users should disable and uninstall the legacy FreePBX ARI Framework module and switch to the new User Control Panel, which is not to be confused with the previous ‘User Control Panel Tab’. 
Please note that indications of a compromised system include the presence of an “System Admin Dashboard” also called “admindashboard” module, the files c2.pl and/or c.sh.

 

If you are using the FreePBX Distro we have fixed this with upgrade scripts 5.211.65-19 and 6.12.65-18. As always review the wiki here on how to keep your FreePBX Distro system updated.

If these are present then your system has potentially been compromised. You should urgently remove this module via a system shell. 
Due to various differences between machines, your AMPWEBROOT may be in /var/www/admin,/var/www/html/admin, or potentially any other place.
To determine the location, if you are unaware, it is visible in the Advanced Settings page, as ‘FreePBX Web Root Dir’. FreePBX Distro based machines are set to ‘/var/www/html’
First, run the command:

 

rm -rf AMPWEBROOT/admin/modules/admindashboard

replacing the ‘AMPWEBROOT’ with the system setting.
Then run the following command to remove all traces of it from FreePBX

 

amportal a ma delete admindashboard

There will be an error output saying that uninstallation scripts failed to run, however this is expected, and is signifying that the module was removed successfully.

You must also remove any references to c2.pl or c.sh. which can be found by running the commands:

 

updatedb
locate c2.pl
locate c.sh

We have also noticed that additional Administrator users may have been created as part of a scripted attack. We urge you to verify that your machine does not have any additional unknown ‘Administrator’ users in the “Administrators” page.

Please note the FreePBX ARI Framework module used an independent authentication scheme and does not relate to the FreePBX authentication settings of none, database or web server.

Remember the best practice to avoid risk is to not expose your system to the public internet.

In FreePBX 12 we have implemented module signing which was a key element in identifying this issue. 


Users of FreePBX 12 should always take note of the tamper and/or unsigned module notices that show in their system.

 

Schmooze Com takes security of FreePBX and our other communications products seriously. In practice there are more eyes on the code in open source software than there are in closed source software, however the truth of the matter is security of any technological product is not determined by the method of distribution. This year’s earlier issues with the Heart-bleed Open SSL security defect brought to light not only how much of an impact open source software has on the entire Internet infrastructure, but emphasized the fact that we must continually improve the tools we provide our developers and community to review and scrutinize our codebase for potential security issues and bugs.

Since it’s inception FreePBX has had source and ticket management tools in place to provide transparency to our users. We continue to make huge investments in time, energy, and infrastructure to continually improve these tools. When security problems are found in open source software, the visibility of the code and ease of use provided by these new management tools allow diverse teams to collaborate and contribute code fixes. Bug and security fixes are often available within a matter of hours.

If you find a potential bug in FreePBX you can open a ticket at issues.freepbx.org

Or for potential security related issues, send an email to the security team at security@freepbx.org

CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score  - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8
Overall CVSS Score - 6

Allison Smith FreePBX World Interview and 50% off Professional Voice Recording Promo!

Allison Smith FreePBX World Interview and 50% off Professional Voice Recording Promo!
 

 We recently interviewed Allison Smith during FreePBX World in Vegas!

Best known for her work as “The Voice of Asterisk”, and the professional voice talent behind the standard voice prompts bundled with FreePBX, Allison also speaks and blogs about ways to design telephone call flows which won’t drive callers crazy. Watch the interview here, and read her latest IVR Blog below for tips and best practices for creating IVRs.

 

We have added Allison’s Professional Voice Services to our line up of Add-Ons for FreePBX.  You can now purchase custom prompts directly in the Schmooze Portal.  

As a promotion to welcome Allison to the FreePBX Team, Use the PROMO CODE: “ivrvoice” from now until Friday September 19th at midnight central time to receive 50% off professional voice recordings!

  • 10 First-Last Name Recordings –$35.00 $17.50
  • 30 Word Recording $49.00 $24.50
  • 50 Word Recording $75.00 $37.50
  • 80 Word Recording $125.00 $62.50
  • 800 Word Recording – On-Hold w/ optional musical background $350.00$175.00

 Schmooze Portal

IVR design hints and tips, direct from Allison:

You’ve unpacked and installed your shiny new PBX – it’s an exciting time to be you!

Everything’s configured; you’ve updated the modules – you’ve even explored the modules. You’ve got this. You’re primed and ready to enjoy the ease and flexibility that your new FreePBX affords….and then it dawns on you.

This thing is the *gateway* to your company.

You will have *actual* callers accessing your company via your PBX. It’s the entryway; it’s the launch pad for interaction. Their first impression of you.

It’s your “welcome”.

It’s very likely that *zero* thought has been given to the fact that the IVR that your callers will hear – this mechanism which sorts people into various “categories” so that their concerns can be most efficiently dealt with – is the first clue callers will receive about your company. It’s the first inkling of what you’re about; it’s about who you are.

Yet, this crucial detail gets overlooked in the overall set-up of a typical new PBX install. In my daily work of voicing IVR systems – not only for Asterisk, but countless other systems, I’m amazed at the panicked state some people are in when they contact me. Here’s how it typically goes: “We need to get this system live as soon as possible – and I guess we need someone to voice the opening greeting. Maybe the after-hours message too. Oh! And mailboxes….we haven’t even thought about that….” I mean, they’re completely blindsided!

While possibly the most overlooked aspect of your system, getting your prompts voiced by a pro is essential. And although – in the interest of saving time and cutting costs, it might be tempting to grab someone in your office and put them in a quiet boardroom with a rough phone menu jotted on a legal pad, it can’t be over-emphasized how essential it is to hire a voice-over pro to voice your system. Our core competency is consistency (keeping everything smooth and fluid), discipline (to keep energy and sound quality matching from session to session), and a pro sound set-up (nothing has ever sounded great recorded direct-to-phone with background noise. Ever.) Not to mention the ability to add an unmistakable tone of professionalism and authenticity to your front-end.

There you have it! The first roadblock to a professional-sounding IVR is tackled: hiring a pro.

In order for your IVR to flow logically, you need to have a basic understanding of just *what* goes *where*. You require a good handle on how many extensions you have at your disposal; how many extensions you should realistically actually *use*, and – most importantly – you need to confirm that there will be *service* at the end of those extensions.


Whether you use a traditional call flow schematic to map out what you need (I call it “The Corleone Family Tree” due to its complicated, convoluted nature):

familytree.png

…or you simply sketch it out freestyle, it’s important to map out where each extension goes, what happens when the call is picked up, and how to escalate something of higher priority.

Here are some basics to keep in mind:

You Need to Use as Few Options as Possible

I try to tell clients to trim their opening menu down to five options, max. Attention spans being what they are, and retention of what people hear being quite limited, it’s important to pare down the choices to the essential “top five.” Once a selection has been made, a sub-directory should only have about three choices. Any more than that, and the customer isn’t getting anywhere.

Make Sure Urgent/Most Used/Safety-Related Prompts are First

I always tell the story of the cardiology clinic’s IVR I voiced, when – after 10 menu choices (five too many), the *last* prompt in the lineup was “If this is a medical emergency, dial 911…” Anything life-threatening, mission-critical, or time sensitive – front-stack that at the beginning of your IVR. Also, most commonly-pressed choices should be out of the way early; the deeper callers drill into the menu choices, the more specialized the request.

Provide an Opt-In

There’s a popular line of thinking that if you provide a “Press 0” option which routes to an actual person, that it will be abused. Not true. People are becoming more and more fiercely turnkey. They *want* to solve their dilemma on their own. It’s a part of life now, and the way – especially younger consumers – are used to doing things. Sometimes, none of the choices in a phone tree apply to what they’re calling about – and live assistance should always be an option – eventually. (I recently talked a customer out of putting “Press 0 for a live operator” at the *beginning* of their IVR – in that case, that’s *all* they would press. It should be a last-ditch attempt – at the *end* of the menu choices – as a way of providing one-on-one service if all other self-serve avenues fail.)

Of course, it goes without saying that once an extension is assigned, it needs to actually *go* somewhere – a mailbox which is assigned and attended to. Occasionally, I will voice prompts for a small entity who wants to sound larger than they really are – to the point where fake mailboxes were created to fuel the illusion of having reached a multi-national. If – upon frequent calls to the company – the customer figures out that Joe from accounting is also Joe the CEO, it reflects badly; also hugely undesirable is a mailbox which grows and festers unchecked; someone having created it but has not appointed it to be anyone’s responsibility. “Mailbox full” can be a death knell for a customer to hear.

That should get you started thinking about the framework for your IVR, and how all-important it is to set that solidly before writing your script.

To learn more about planning IVR’s and professional voice recordings make your plans to attend Astricon in October, where Allison will be presenting The New Rules for IVR, and Using Asterisk to create “Her”.

allison.jpg

 

 

 

 

Allison Smith, The IVR Voice

Certified FreePBX Partner

Queue Call-Back BETA Free Trial and New Software Bundles!

Announcing Queue CALL-BACKS for FreePBX®! TRY IT OUT FOR FREE!

vq-plus-header-queue-callbacks-free.png

vqplus-icon.pngFreePBX now has call-back solutions for call centers, or any businesses that get more calls than they can handle at one time! One of the biggest complaints most contact centers receive are from callers upset about hold times. With the new queue call-back functionality built into the Virtual Queue Plus FreePBX Module, your customers will never waste their time on hold again!

When enabled on a queue, call-back frees a callers time by letting them “press 1” to exit the call queue, and receive an automated call back. The call-back can go to the number they called in with, or one of their choice. When they are next in line to speak to a representative, the system will place an outbound call, and once accepted by the caller route them to the agent. Not only are your customers happier, but so are your agents, as they don’t have to handle as many disgruntled callers! System administrators and managers can also rejoice as abandon rates drop, as well as telco cost, since lines are not tied up with people waiting in queue!

For a very limited time, this new feature is available in the Schmooze Portal with a Free 30 Day BETA Trial! Simply log into your account, (or create one) click on the store, and add the BETA VQ PLUS Free Month Trial License to your cart, assign it to one of your FreePBX deployments, and check out!

Join the BETA

 

We have created some new bundles that include some of our most popular add-ons for FreePBX. This is a great way to get BIG DISCOUNTS on our most popular software!

system-builder-basic.png

System Builder Basic- $200 USD

This bundle includes key add-on modules that we recommend for every system.Endpoint Manager– easily manage and auto provision hundreds of supported devices directly from the FreePBX Administration GUI. FreePBX Phone Apps (RESTAPPS) IP phone apps that tightly integrate dozens of supported phones with FreePBX features (Visual voicemail, transfer to voicemail, time conditions management, queues, queue agents, presence, parking, login/logout, follow me, do not disturb, conference rooms, call forward, call flow control.)SysAdmin Pro– a power tool for administrators, allows complete system update management directly from the FreePBX GUI as well as management and configuration of system tools such as: intrusion detection, DDNS, DNS, email setup, FTP, abnormal call volume notification, network settings, port management, power options, storage notifications, time zones, UPS and VPN to FreePBX Support.

system-builder-plus.png

System Builder Plus-$500 USD

Fully deck out your FreePBX installs with our most popular add ons all in one package for a great price. This bundle includes EndPoint Manager,FreePBX Phone AppsSysAdmin ProPark ProPaging Pro,Class of ServiceConference ProCall Recording Reports,XMPP Management and Fax Pro.

call-center-builder.png

Call Center Builder-$1275 USD

Take your contact center to the next level with the Call Center Builder Bundle. This bundle provides advanced reporting tools: QXact ReportsCall Recording Reports, Call Management tools such asClass of ServicePinset Pro,Conference ProCaller ID Management, and Advanced Queue Enhancements, including Outbound Call Limiting and VQ Plus, which now includes Queue Callbacks (see above)!

 Schmooze Portal

 

 

FreePBX 12 RC Release

I hope everyone in the United States had a happy Labor Day weekend and for those of you outside the US I hope you had a happy Monday (or Tuesday for those of you living a day ahead of us) just the same. In case you haven’t been keeping an eye on FreePBX’s Module Admin we have made public the “FreePBX Upgrader” for all 2.11 systems that are not a FreePBX Distro based system. This give you the ability to be able to upgrade to FreePBX 12. But before you do that I advise you read the rest of this post (and make a backup… You did make a backup right?). If you don’t know why you should upgrade to 12, I highly recommend checking out our previous blog about the beta cycle: http://www.freepbx.org/news/2014-06-23/freepbx-12-beta-1-and-some-really-cool-stuff

A few of the features included in the FreePBX 12 release are:

  • Asterisk 12 Support Allow a system to run both chan_sip and pjsip
    • Allow Extensions to be able to be switched between the two
    • Added an Asterisk Rest Interface Manager module to add users to be able to utilize Asterisk’s new Rest Interface
  • New User Control Panel that replaces ARI “UCP” (Please check online and download the module *after* upgrading to FreePBX 12)
    • Presence
    • Call History
    • Widgets/RSS Feeds
    • Modular design allows FreePBX hook into UCP
    • Settings
      • Find Me/Follow Me
      • VmX Locator
      • Call Waiting
      • Call Forwarding
      • Do Not Disturb
      • Voicemail
      • WebRTC
      • Conference Pro
      • Fax Pro
      • SMS Support in UCP for SIPStation customers  
  • Brand New Dashboard
  • Updates to Module admin 
  • CDR Reports now support html5 playback, no need to have quicktime player
  • Parking now supports direct slot parking (Meaning you can transfer a call directly into a slot)
  • Secure Module Signing (http://wiki.freepbx.org/display/F2/Module+Signing)

The full list of features can be viewed here: http://wiki.freepbx.org/display/DC/12+Planned+Changes+and+Features 

The requirements for FreePBX 12 are simple:

  • Asterisk 1.8 through 13
  • PHP 5.3.3 or higher

Upgrade and Download Plans

The easiest way to get access to the Release Candidate is by downloading the FreePBX Distro at http://schmoozecom.com/distro-download.php and following the steps in http://wiki.freepbx.org/display/HTGS/1.+Install+FreePBX. You can also download the tarball of just FreePBX manually from http://www.freepbx.org/download-freepbx and run through the setup processes documented in http://wiki.freepbx.org/display/HTGS/Version+12.0+Installation.

Andrew – On Behalf of the FreePBX Team!

Open Source Telephony Revolution – Video – ITEXPO Keynote August 2014

Open source communications platforms powered by FreePBX® and Asterisk® have been under continuous development for over 10 years. Today both of these account for millions of installations worldwide; contributing billions of dollars in hardware, software, and services revenue.

 

During this Keynote Presentation, Asterisk creator Mark Spencer, FreePBX Project Lead Philippe Lindheimer and The IVR Voice’s Allison Smith tell the tale how open source telephony grew from the “necessity of a cash strapped young entrepreneur’s need for a phone system” to today’s billion dollar game changer that was once a vendor locked PBX market place.

 

FreePBX offers a rich, reliable and well-supported EcoSystem that gives software application vendors, device manufacturers, and service providers the freedom, power and choice to build and deliver revolutionary communications solutions — faster, better and at lower costs.