Security Vulnerability Notice

Summary:

An unauthenticated remote attacker can run shell commands as the Asterisk user of any FreePBX machine with ‘Recordings’ versions between 13.0.12 and 13.0.26.

Details:

The recordings module lets you playback recorded system files. Due to a coding error and a PHP quirk, certain Ajax requests were unauthenticated when requesting files.

This has been fixed in Recordings 13.0.27.

For PBXact users on version 10.13.66 make sure you upgrade to version 10.13.66-15 or higher to receive the patch.  For information on how to update your PBXact system review our wiki here.

For FreePBX Distro users on version 10.13.66 you can either upgrade the Recordings module in module admin to version 13.0.27 or upgrade to FreePBX Distro 10.13.66-15.  For information on how to update your FreePBX Distro system review our wiki here.

This vulnerability was discovered by: Adrian Maertins <adrian(dot)maertins(at)gmail(at)com>

Additional Details:

As FreePBX is an appliance, any remote shell access can be leveraged to become root.

Keep in mind for security, performance, and the best user experience be sure you keep ALL modules up to date. Some security and functional updates may be delayed or unreleased by maintainers of 3rd party repositories.

It is also always good practice when requiring internet access to your PBX to run the FreePBX firewall and/or other quality firewalls in front of your system. Limit access via VPNs and where possible, such as Sangoma Phones, take advantage of native phone VPNs to minimize the exposure you must provide to potential hackers by limiting the ports you need to open.

Links to More Information:

http://wiki.freepbx.org/display/FOP/2016-08-09+CVE+Remote+Command+Execution+with+Privileged+Escalation

http://issues.freepbx.org/browse/FREEPBX-12908

History of Security Vulnerability:

Sangoma takes security issues very seriously and we try to work with security experts who find such vulnerabilities in a cooperative manner in order to maximize the ability to protect the user base with timely patches and appropriately timed communications.

This particular vulnerability was reported and the reporter only provided a short time window of three days before disclosing the vulnerability. As such, we have not been provided adequate time to get a proper CVE which we will be working on and we are providing patches to address the issue and requesting users update their systems immediately to be protected against possible hackers once they see the report and create malware attack scripts to go after FreePBX systems open to the internet.

FreePBX Distro 7 Beta Release

We are pleased to announce the beta release of the next FreePBX Distro. This is a huge leap forward in our distro releases. We would like to encourage early adopters to play with it and test it to ensure we have a solid platform to build FreePBX upon in the future. The new FreePBX distro is built on top of the Sangoma 7 distro, which is derived from CentOS 7.  

Some significant highlights of the new distro include:

  1. No more FreePBX Distro Updater scripts. It’s just ‘yum update’. Always. You can also ‘yum downgrade’, too. (This, of course, doesn’t change FreePBX’s module versions, as usual. This is just Distro, and replaces the previous complexity of having to run multiple sequential upgrade scripts.) A forthcoming module will make this even simpler, removing the dependence on Sysadmin to do operating system upgrades.
  2. Complete UEFI support for installation and operation.
  3. Serial and USB installs are now much easier! In fact, it’s much faster to install from USB than from ISO! So much so that – depending on your feedback – installing from USB may become the recommended method of installation, with ISOs as the secondary installation method.
  4. A better development environment. If you want to develop FreePBX, you can just run ‘yum install freepbx-devel’ to prepare most of the development environment.
  5. Behind the scenes, all package updates are automated. This makes it a lot easier for us to rapidly and reliably push out fixes without needing to run multiple different steps to replicate to all the CDNs.
  6. PHP 5.6.24 and FreePBX 14

This is being shipped with FreePBX 14, as one of the features of 14 is complete support of modern PHP versions. FreePBX 14 is in early alpha. Several new features are unreleased and under development. At this stage in development, updates may come multiple times per day and things may break without notice. FreePBX 14 is not under the “Edge release system” during the alpha stage, so releases are not staggered. We welcome OS level bug reports, but FreePBX 14 issues should wait until FreePBX 14 reaches beta. (If you want to become involved in the FreePBX 14 development process, you are welcome to join us on IRC in the #freepbx-dev IRC channel!)

You can download the ISO directly from our mirrors, or via BitTorrent for fastest downloads using this magnet link, or, this torrent file.

If you find issues with the distro, you can report a bug at issues.freepbx.org. Select the “FreePBX Distro 7” project, or simply click on this link to go there directly.

Please note: We are tracking installations as part of this ISO. We are recording how long it took to install, the CPU type, speed, and the number of CPU cores, the amount of RAM, and the size of the disks. We are doing this so we know where to spend more effort in the development of FreePBX and the FreePBX Distro. These statistics are anonymized. No personally identifiable information is available. If you do not wish this data to be collected, please do not connect your machine to the internet while installing.

ccentxuuyaeyidt
Please join us at FreePBX World and give us your feedback on both the distro and FreePBX face-to-face. Visit http://freepbxworld.com for more information and to register.

Join us in Phoenix for FreePBX World 2016

We’re excited to announce that FreePBX World is coming to AstriCon in Phoenix September 27-29, 2016!

FreePBX World will bring people together for educational seminars and networking opportunities focused on FreePBX, the world’s most widely deployed open source PBX platform. You’ll take home new ideas on how to put the FreePBX EcoSystem to work in a wide variety of VoIP telephony applications. You’ll also have the opportunity to meet key leaders behind the FreePBX project and members of the FreePBX community.

Who Should Attend?

  • All users of FreePBX systems
  • Anyone interested in selling and installing VoIP phone systems or hosted VoIP services
  • Developers interested in building FreePBX Certified custom telephony applications
  • OEM/hardware manufacturers looking to expand their PBX offerings into the lucrative FreePBX marketplace
  • Anyone who wants to learn more about FreePBX and the EcoSystem of products around it

How to Register

FreePBX World 2016 will be located within AstriCon, the annual Asterisk user’s conference taking place at the Renaissance Phoenix Glendale Hotel & Spa this year. Your admission to AstriCon grants you access to FreePBX World at no extra charge. You don’t need to register separately for FreePBX World, but you do need an AstriCon admission pass in order to attend.

Make plans now and take advantage of special savings. You can save 25% off individual All-Access Conference Passes by using promo code sangoma when you register online.

Call for Speakers

Interested in speaking at FreePBX World 2016? Your unique experience related to FreePBX might be a great topic for a seminar. If you have an idea for a presentation that would be useful to the FreePBX community, we hope you’ll consider sharing your expertise at this event. Please submit your speaker proposal by July 29.

Sangoma’s Commitment to Open Source

In January of 2015, the FreePBX project became part of the Sangoma family. Being a commercial entity charged with maintaining an open source project can be a challenging endeavor at times. Furthermore, the fact that major open source projects are normally in the care of commercial organizations is usually not given much thought.

Before Sangoma, FreePBX was overseen by Schmooze Com Inc., before that Bandwidth and before that Coalescent Systems Inc. These companies have all done their parts to ensure the survival of the FreePBX project. Sangoma has been dedicated to the open source community, including FreePBX, for many years. In the last year, the FreePBX project has seen great strides, including the release of FreePBX 13 with accelerated development and bug fixes.

Sangoma has also empowered FreePBX with new open source features such as: synchronizing Active Directory with user manager, a complete rewrite of Sound Recordings, the overhaul of the FreePBX interface, playback of recordings in your browser, the addition of the firewall module, sound languages module and so much more.

More recently we’ve kicked off development on FreePBX 14, our next major release. One of the major new open sourced features we are bringing to the table is a calendaring system which will become a replacement for many of the scheduling components you use today, like Time Conditions. But we’ll be able to talk more about that in a few weeks.

FreePBX has historically been funded through professional training, professional support services, and commercial modules. These commercial modules tend to enhance the already provided open source functionality. These modules usually require special development or maintenance considerations, so they become paid modules. Over time, we constantly review our collection of commercial modules to see if any meet the requirements to become open sourced.

Thus, we have decided to release several of these commercial modules under the AGPLv3 as open sourced. Some of these modules have been unmaintained for a few years and will be put into the contributed repository to allow community members to build off of the code and revive or enhance the functions for the open source community.

We have also thrown in a few actively maintained modules such as XMPP, RESTapi and Text-To-Speech Engines that will allow broader use and community contributions. Moving forward these modules will still be maintained by Sangoma. In the coming months, we hope to have some great new features regarding RESTapi.

We hope the release of this code will inspire users to take FreePBX to the next level!

The code for these modules is now available at (or Github Respectively):

 

With these changes there is no longer a license requirement for XMPP, RestAPI or Text-To-Speech Engines, you can download these modules straight away in FreePBX 13 from Module Administration.

 

Github:

  • Core: https://github.com/freepbx
  • Contributed: https://github.com/FreePBX-ContributedModules

 

Thank you for being part of the FreePBX community!

Snom Endpoints Certified for FreePBX

The FreePBX EcoSystem continues to grow with the addition of Snom Technology as our newest Certified Hardware Partner.

This certification means the FreePBX Project engineering and development teams have tested Snom endpoints for functionality and usability within the FreePBX platform and EndPoint Manager.

Frederic Dickey, Sangoma Technologies VP of Marketing, stated: “FreePBX is all about freedom of choice for business communications systems. The addition of Snom’s phones to the list of supported endpoints in the EndPoint Manager module confirms our approach to the market. EndPoint Manager enables easy provisioning and management of supported endpoints directly from within the FreePBX Administrative GUI, saving a great deal of time in the implementation of systems.”

The FreePBX Certified EcoSystem Product Program enables end users and systems integrators to identify products and solutions that are interoperable with FreePBX. Through achieving certification, Snom has demonstrated a willingness to work closely with the FreePBX Project to give our shared end users and partners access to a wide range of officially supported endpoints.

Snom Press Release: https://www.snom.com/press/snom-ip-telephones-certified-full-interoperability