Security Vulnerability Notice

Summary:

An unauthenticated remote attacker can run shell commands as the Asterisk user of any FreePBX machine with ‘Recordings’ versions between 13.0.12 and 13.0.26.

Details:

The recordings module lets you playback recorded system files. Due to a coding error and a PHP quirk, certain Ajax requests were unauthenticated when requesting files.

This has been fixed in Recordings 13.0.27.

For PBXact UC users on version 10.13.66 make sure you upgrade to version 10.13.66-15 or higher to receive the patch.  For information on how to update your PBXact system review our wiki here.

For FreePBX Distro users on version 10.13.66 you can either upgrade the Recordings module in module admin to version 13.0.27 or upgrade to FreePBX Distro 10.13.66-15.  For information on how to update your FreePBX Distro system review our wiki here.

This vulnerability was discovered by: Adrian Maertins <adrian(dot)maertins(at)gmail(at)com>

Additional Details:

As FreePBX is an appliance, any remote shell access can be leveraged to become root.

Keep in mind for security, performance, and the best user experience be sure you keep ALL modules up to date. Some security and functional updates may be delayed or unreleased by maintainers of 3rd party repositories.

It is also always good practice when requiring internet access to your PBX to run the FreePBX firewall and/or other quality firewalls in front of your system. Limit access via VPNs and where possible, such as Sangoma Phones, take advantage of native phone VPNs to minimize the exposure you must provide to potential hackers by limiting the ports you need to open.

Links to More Information:

http://wiki.freepbx.org/display/FOP/2016-08-09+CVE+Remote+Command+Execution+with+Privileged+Escalation

http://issues.freepbx.org/browse/FREEPBX-12908

History of Security Vulnerability:

Sangoma takes security issues very seriously and we try to work with security experts who find such vulnerabilities in a cooperative manner in order to maximize the ability to protect the user base with timely patches and appropriately timed communications.

This particular vulnerability was reported and the reporter only provided a short time window of three days before disclosing the vulnerability. As such, we have not been provided adequate time to get a proper CVE which we will be working on and we are providing patches to address the issue and requesting users update their systems immediately to be protected against possible hackers once they see the report and create malware attack scripts to go after FreePBX systems open to the internet.

FreePBX 13 BETA is Ready For Testing

FreePBX 13 BETA is Ready For Testing

The development team is excited to announce the FreePBX 13 BETA release is now OPEN and available for install via the FreePBX Distro, or upgrade your current Alpha system through Module Admin.

When you open up the new version the first impression will be a complete change in the look and feel. You’ll discover features such as scrollable dropdowns, search bars, wizards and re-designed navigation menus that make your day-to-day interactions easier and faster. What won’t be immediately obvious is the vast “internal plumbing” changes that result in benefits such as significantly faster reload times especially for large installs and the replacement of the deprecated PearDB library with the modern PDO for faster and more secure database access.

The team has been working hard for 9 solid months; with close to a dozen developers involved, the results are impressive. We’ll be introducing a “Version Upgrade” module in the coming weeks once we get the initial feedback that this Beta looks solid, which means we need your help now to provide us that feedback!

“Town Meeting” via Google Hangout

We’ll brief you in just a moment, but first, please mark your calendars for our premier in a series of interactive Hangout Meetings where we will tell you more about Version 13 and give you an chance to interact with us directly to get your questions answered!

When: Thursday, July 9th 4PM EST

Where: bit.ly/1GNCg4c

Understanding What’s New in FreePBX 13

This new version takes off on many of the technologies and experiences that were introduced in FreePBX 12 where an all new mobile friendly User Control Panel (UCP) was introduced based off of Twitter’s bootstrap framework along with a myriad of other enhancements spanning from Asterisk’s PJSIP support to HTML5 voicemail playback and recording to secure module signing.

The visual enhancements of 13 stick out right away. From the new grid layout of each module to the ease of use wizards:

FreePBX 13 Grid Layout

 FreePBX 13 Quick Create Extension

FreePBX 13 Wizard

The team has made changes based on your user feedback and improved UI design research. Past problems such as menu selections too long for your browser window have been addressed with scrollable menu bars and advanced users can navigate quickly with search box abilities:

FreePBX 13 ScrollFreePBX Search Boxes           

The list of navigation and usability improvements goes on; the best way to discover them is to get it up in front of you and start experiencing all the great things the team has been working on!

We also put in effort addressing some bigger “sub-systems” to further enhance FreePBX based on user demands and changing technologies with the evolution of Asterisk.

Bulk User Management has been a big request and has seen minimal support in the past. This version introduces the new Bulk Manager which is a pluggable module that allows you to do mass “spreadsheet” management of Users, Extensions, Contacts and DIDs, and designed to grow and scale with the evolution of FreePBX and the introduction of features from other modules that affect these.

 FreePBX 13 Bulk

Call Event Log (CEL) integration and reporting, the Asterisk evolution of CDRs, has been added to be able to view the detailed activity of events from calls on your system.

 FreePBX 13 CEL

 FreePBX 13 CEL

With FreePBX prevalent in over 220 countries, language localization has been a priority and version 12 already saw huge efforts in the improved localization abilities of FreePBX for different languages. This new version adds the next dimension of easy sound file management with simple online access to other languages. The last leg of this effort will be the System Recording module which will be re-written to enable the concept of multiple language versions of the same call recording and will be following right on the heals of this release. This means, for instance, you will be able to have a single IVR that can play in different languages with the exact same recording based on language selection decisions in the call flow.

 FreePBX 13 Localization

FreePBX has always had a very limited ability to work with it at the CLI level via various ‘amportal’ commands. This latest version has adopted the Symfony framework and began to offer much more extensive CLI access through the “fwconsole” command.

 

 FWConsole

There’s so much more to talk about that we can barely scratch the surface. The above are only highlights and the real efforts that have gone in can only be experienced by trying it out yourself. So we look forward to you helping us drive this forward to a release candidate and final release soon!

Downloads and BETA Availability

FreePBX 13 BETA is immediately available on the FreePBX 13 download page. The plan is once we move further in the BETA process we will release the .tgz file for users wishing to do localized builds on their own standalone systems. For the time being we are releasing only for the FreePBX Distro so as to control factors introduced by the OS or other unknown variables but any user can always checkout 13 from FreePBX git servers.

In order to help us release FreePBX 13 on schedule, users of the BETA release are encouraged to report any bugs, issues or errors at http://issues.freepbx.org.

For now we look forward to your feedback testing and helping us get 13 finalized! Without your contributions and support FreePBX wouldn’t be the most prevalent and open source PBX platform on the planet and for that we are deeply grateful!

FreePBX 12 Release and Astricon

HI Folks!

I’m sitting in the McCarran International Airport in Las Vegas about to head back home to attend a wedding from a wonderful Astricon which is still going (until Friday!). Just wanted to send you all a quick note that today we finalized FreePBX 12 with the release of Framework 12.0.2. This means we are officially certifying it “stable”. Bug reports are always welcome and can be filed at http://issues.freepbx.org.

It’s been a long couple of weeks (with lots of hair pulling) leading up this to announcement and with over 12,000 people already using FreePBX 12 we decided it was time to go stable. I can’t wait to work with all of you on FreePBX 12 and in the future. It’s a great release and FreePBX has come very far (technology wise) with it (and if you don’t know what we’ve done then scroll down to check it out). I’m proud of what we’ve accomplished and the community seems proud as well:

 

If you didn’t see my full break down when we released beta you should go check it out right now, otherwise I’ve broken down the important points here: http://community.freepbx.org/t/freepbx-12-beta-1-and-some-really-cool-stuff/22782/1

FreePBX 12

A few of the features included in the FreePBX 12 release are:

Asterisk 12 Support Allow a system to run both chan_sip and pjsip

Allow Extensions to be able to be switched between the two – Added an Asterisk Rest Interface Manager module to add users to be able to utilize Asterisk’s new Rest Interface New User Control Panel that replaces ARI

UCP (Please check online and download the module *after* upgrading to FreePBX 12)

– Presence
– Call History
– Widgets/RSS Feeds
– Modular design allows FreePBX hook into UCP
– Settings
– Find Me/Follow Me, VmX Locator, Call Waiting, Call Forwarding, Do Not Disturb
– Voicemail
– WebRTC
– Conference Pro
– Fax Pro
– SMS Support in UCP for SIPStation customers 

Brand New DashboardUpdates to Module adminCDR Reports now support html5 playback, no need to have quicktime player Parking now supports direct slot parking (Meaning you can transfer a call directly into a slot) Secure Module Signing (http://wiki.freepbx.org/display/F2/Module+Signing) The full list of features can be viewed here: http://wiki.freepbx.org/display/DC/12+Planned+Changes+and+Features

The requirements for FreePBX 12 are simple:

– Asterisk 1.8 through 13
– PHP 5.3.3 or higher

 

Upgrade and Download Plans

The easiest way to get access to the Release Candidate is by downloading the FreePBX Distro at http://schmoozecom.com/distro-download.php and following the steps in http://wiki.freepbx.org/display/HTGS/1.+Install+FreePBX. You can also download the tarball of just FreePBX manually from http://www.freepbx.org/download-freepbx and run through the setup processes documented in http://wiki.freepbx.org/display/HTGS/Version+12.0+Installation.

Whats Next?

So where do we go from here? What’s in the woodwork for FreePBX 13 and above? There are a few things we’ve all hashed around but nothing is set in stone yet, hopefully in the next few weeks we can start working with you on what will be included in FreePBX 13. One last thing, something that is important to me that I think we need to do more of is community blogging. Perhaps going over features or giving you more updates about what we are doing internally along the same lines as what Philippe did in years past. I’d like to engage more with you and get opinions and ideas about what you’d like to see in future versions of FreePBX. Remember that feature requests are always welcome at http://issues.freepbx.org. So won’t you join me on this crazy ride we call VoIP?

Andrew – On Behalf of the FreePBX Team!

FreePBX 12 RC Release

I hope everyone in the United States had a happy Labor Day weekend and for those of you outside the US I hope you had a happy Monday (or Tuesday for those of you living a day ahead of us) just the same. In case you haven’t been keeping an eye on FreePBX’s Module Admin we have made public the “FreePBX Upgrader” for all 2.11 systems that are not a FreePBX Distro based system. This give you the ability to be able to upgrade to FreePBX 12. But before you do that I advise you read the rest of this post (and make a backup… You did make a backup right?). If you don’t know why you should upgrade to 12, I highly recommend checking out our previous blog about the beta cycle: http://www.freepbx.org/news/2014-06-23/freepbx-12-beta-1-and-some-really-cool-stuff

A few of the features included in the FreePBX 12 release are:

  • Asterisk 12 Support Allow a system to run both chan_sip and pjsip
    • Allow Extensions to be able to be switched between the two
    • Added an Asterisk Rest Interface Manager module to add users to be able to utilize Asterisk’s new Rest Interface
  • New User Control Panel that replaces ARI “UCP” (Please check online and download the module *after* upgrading to FreePBX 12)
    • Presence
    • Call History
    • Widgets/RSS Feeds
    • Modular design allows FreePBX hook into UCP
    • Settings
      • Find Me/Follow Me
      • VmX Locator
      • Call Waiting
      • Call Forwarding
      • Do Not Disturb
      • Voicemail
      • WebRTC
      • Conference Pro
      • Fax Pro
      • SMS Support in UCP for SIPStation customers  
  • Brand New Dashboard
  • Updates to Module admin 
  • CDR Reports now support html5 playback, no need to have quicktime player
  • Parking now supports direct slot parking (Meaning you can transfer a call directly into a slot)
  • Secure Module Signing (http://wiki.freepbx.org/display/F2/Module+Signing)

The full list of features can be viewed here: http://wiki.freepbx.org/display/DC/12+Planned+Changes+and+Features 

The requirements for FreePBX 12 are simple:

  • Asterisk 1.8 through 13
  • PHP 5.3.3 or higher

Upgrade and Download Plans

The easiest way to get access to the Release Candidate is by downloading the FreePBX Distro at http://schmoozecom.com/distro-download.php and following the steps in http://wiki.freepbx.org/display/HTGS/1.+Install+FreePBX. You can also download the tarball of just FreePBX manually from http://www.freepbx.org/download-freepbx and run through the setup processes documented in http://wiki.freepbx.org/display/HTGS/Version+12.0+Installation.

Andrew – On Behalf of the FreePBX Team!

FreePBX 12 Beta 1 and Some Really Cool Stuff

Hi all, Philippe here, I’m super excited to have the privilege of announcing the official release of FreePBX 12 Beta available for immediate consumption. Version 12 has been in alpha for over 6 months with several months of planning before that and to those thousands of you who have downloaded and helped test we thank you for helping make this a reality and hope you like the really cool stuff the team has done!

The FreePBX community has grown tremendously in the past year and along with it, the number of resources we’ve dedicated to its continued success has grown with it! The goals of version 12 have been multi-faceted, starting with the community! In order to better engage the community we’ve spent the last year upgrading everything from an improved wiki and bug tracker, a translation server, a transition from SVN to Git, to a brand new best in class forum based off of Discourse to provide tools for you to help us and each other make the best product possible! With the significant changes in Asterisk 12, we also set out to have FreePBX 12 support this new version of Asterisk, some of which we talked about in an earlier blog,  PJSIP and the Long Awaited FreePBX Asterisk Recording Interface Replacement. Support for Asterisk 12 was just the beginning, we’ll talk about the really cool stuff in a moment!

On the development side, I’m honored to introduce you to the real drivers of this release as I think the work they have done is astounding and something that we are proud to bring to this great community! I hardly think these guys need an introduction if you’ve spent any time in our forums, but I’d like to ask you to join me in giving special thanks to the tremendous job that Andrew (tm1000), Bryan (GameGamer43), Rob (xrobau), Jason (Qwell) and Luke (DatorHerren) have done in bringing you a version that warrants a jump from 2.11 all the way to FreePBX 12 in one leap! Since Andrew has taken the initiative and lead on so many aspects of these changes we are bringing you, I will let him tell you next about FreePBX 12 and some of the great new capabilities that the team has pulled out of their hat!

What’s New In FreePBX 12 — By Andrew

I appreciate the introduction that Philippe provided and I want to to tell you about everything we’ve been up to. I want to jump right to the meat of what we’ve been up to by highlighting some work that we are really excited to bring to you today! I’ll touch on the other things at the end!

New User Control Panel

If you were lucky enough to be at last year’s FreePBX World or Astricon, we told you we were finally getting to the rewrite of the User Control Panel (UCP), also known as the ARI (as in Asterisk Recording Interface).

There’s really so many cool new things about the new User Control Panel that I will only step through a few of them but first off let me say that it is fully HTML5 and Mobile compliant. Though stipulation on both of those items this is still beta so many things may still be broken and because of licensing issues with the mp3 and mp4 codecs UCP does not (at this moment) have support for either of those, so listening to messages on your iphone is a no go. But don’t worry, we have a solution in mind for you iPhone users but it will require manual setup on your end. More on that in the next few weeks.

The initial login page of UCP looks similar to what is on the right. It is fully modular and more modules will be added over time. To start off with we have 7 working modules and we’ve tried to incorporate as much of what you liked in ARI and brought it over to UCP with the added goodness of HTML5. (and remember feedback is welcome!). Each page navigation is dynamically loaded and therefore the screen never actually refreshes creating a consistent and fluid flow for your end users. This concept comes from github’s open source library called pjax (and you can see it in action when you navigate repositories on github)

Furthermore UCP also supports in browser recording of voicemail greetings, in browser playback of voicemail messages and recordings. Drag and drop of voicemail messages. Desktop notifications of new faxes (with the Fax Pro add-on) or voicemails. And for all of you Fax Pro users out there sending a fax now works in NON blocking mode, meaning the browser won’t freeze while sending your fax, everything will happen in the background. Additionally you can set your presence state on the fly, view participants of conferences and mute them or kick them from a conference (Conference Pro).

As an administrator you are now able to define which users you add through User Manager can see which voicemail boxes, conferences or user settings. So now you can create a CEO that has access to his voicemail box and the receptionists voicemail box or multiple users who are able to control conferences. Or who gets to view CDR reports.

Call History:

Voicemail:

For a more thorough walkthrough of all the UCP features please see our wiki:

Dashboard gets WAY MORE than a Facelift

The next really cool thing is a complete redesign of the Dashboard. Dashboard is the initial page you see when you log into FreePBX, it displays your system stats and generation information about FreePBX. We’ve known for a long time that we’ve wanted to revamp and update how dashboard worked and what you as the user see in dashboard. Today we are proud to release the new dashboard in FreePBX 12. We’d love to hear your feedback on it so we can make adjustments and tune it to exactly your needs but first let me go over a few of the features:

The initial loading screen will look similar to what is displayed above. Each “section” is modular, meaning other modules will be able to supply the initial dashboard with their own sections/areas – and we’d love people to dive and and write some modules that they’d like to see! Furthermore each section can be dragged into the order you want them to be set and FreePBX will remember this order until the next time you change it. As you can see in the view below I’ve moved the sections around a bit so that the FreePBX blog (which can contains important security notices) is the first thing I see.

Furthermore FreePBX’s new dashboard logs data even while you are away from your PBX so you can pinpoint exactly when you are (or were) having problems as far back as a month from now.

The new dashboard also provides a place to see all of your system services and their statuses at a glance so that you can easily pinpoint and see if Fail2ban has crashed (along with other core services such as Asterisk, MySQL)

One More Thing

Lastly, something that is near and dear to my heart is the reintroduction of the textarea input method when setting up Dial Patterns for outbound routes and trunks. The outbound routes and trunks dialpattern rules have always been very confusing to many novice users and experienced users as well. FreePBX 2.8 changed the GUI input method to help clarify the otherwise very cryptic nature of these dial patterns as well as add new capabilities and power to the feature set. Although very well received for a significant portion of users, there are power users who have complex and long rules and the inability to easily cut and paste those rules between screens or the ability to have over 1500 dial patterns has been a hindrance that we wanted to address.

I am glad to announce that the textarea has been reintroduced in FreePBX 12 and can be easily enabled with the change of an Advanced Setting. You can permanently leave it in either mode, or switch between them as often as you like. Just look for the “Enable The Old Style FreePBX Dial Patterns Textarea” in advanced settings to switch back and forth as you need.

Beta 1 High Level Summary

Ok, now with the really cool stuff out of my system, here’ s an overview of the Overall Beta 1 plans:

A few of the features included in this Beta 1 release are:

  • Asterisk 12 Support
    • Allow a system to run both chan_sip and pjsip
      • Allow Extensions to be able to be switched between the two
    • Added an Asterisk Rest Interface Manager module to add users to be able to utilize Asterisk’s new Rest Interface
  • CDR Reports now support html5 playback, no need to have quicktime player
  • Parking now supports direct slot parking (Meaning you can transfer a call directly into a slot)
  • Secure Module Signing

Upgrade and Download Plans

The easiest way to get access to the beta is by downloading the FreePBX Distro at http://schmoozecom.com/distro-download.php and following the steps in http://wiki.freepbx.org/display/HTGS/1.+Install+FreePBX. You can also download the tarball of just FreePBX manually from http://www.freepbx.org/download-freepbx and run through the setup processes documented in http://wiki.freepbx.org/display/HTGS/Version+12.0+Installation.

 

Andrew – On Behalf of the FreePBX Team!