FreePBX 13 Release Candidate

We are happy to announce FreePBX 13 has reached the next milestone. We would like to thank everyone in the FreePBX community that has provided valuable feedback and testing. On Wednesday FreePBX 13 reached the release candidate stage.  A release candidate is a beta version with the potential to be a final product, which is ready to release unless significant bugs emerge. At this stage in the FreePBX development life cycle all product features have been designed, coded and tested through one or more beta cycles with no known showstopper-class bugs. Though there may still be some minor snags and hiccups we are confident in the stability of FreePBX 13 for general consumption.

This is one of the largest releases in the project’s history and could not be possible without the FreePBX community which includes community testers, community developers, and Sangoma developers all working together. This release has touched almost every piece of FreePBX.  Along with the visual changes we have put a huge focus on localization and making FreePBX a truly global project.  FreePBX 13 now has multi-language sound support, not only in the GUI but in sound files as well.  System Recordings now supports the ability to have recordings in multiple languages. System Recordings has been rewritten to support bulk uploads, multiple formats and in browser recordings.  Along the way we remove quicktime playback of sound files and added in full HTML5 audio. Over time we will need you, the community, to help us flush out and refine this new feature base.

Along the way we have had to depreciate some items in FreePBX. Namely we depreciated the Camp-On module. There were many reasons for this but firstly many people didn’t know what they were installing and therefore never needed it. When the module was installed it would generate hints for every extension on the system. We decided to depreciate it because of lack of usage and also in an attempt to make reload times faster. This work, along with the work done on turning all hints into dynamic hints and the work by Digium to make Asterisk 13 faster has significantly improved reload times. Sometimes speeding them up as much as 50%! Remember that depreciation doesn’t mean it’s being deleted and we didn’t take this lightly. When modules are fully removed from FreePBX they will find their way into our contributed modules repository along with many other modules. The community at large is welcome to take any of them over and we will gladly provide support to anyone wishing to contribute.

Furthermore we are now requiring registration to use our basic free features of the System Administration module. This module is not a requirement to use a FreePBX system. It is, and always has been, a requirement to use commercial modules. If you wanted to use a commercial module in the past you’d already have had to register your system so this should not be a major change for many of you.

For more information on what is new please see individual change logs in module admin. A summary of changes can be seen in the change log for FreePBX 13.

Get FreePBX 13 RC1 today by one of the following methods:

Upgrade with the Version upgrade utility

With the FreePBX Distro [Update][Download]

Manually Install

Please provide feedback in the community forums 

Report any bugs to our issue tracker

Come join us at FreePBX World 2015

Thank you for using FreePBX

FreePBX 13 BETA GUI Updater

A few weeks ago we pushed out the first beta release of FreePBX 13.  This beta was primarily pushed out as a manually install tarball and beta distro release for our advanced users. These community members and our internal testers have been testing and ironing out bugs to allow expansion to a wider audience. Our desire is to be as stable as possible even in beta for our community.

updprog

Two weeks ago we did a soft launch of our GUI Update utility.  This allows anyone running  FreePBX 12 to upgrade to 13 by way of the FreePBX UI. If you are running FreePBX 12 you can go in to Admin -> Module Admin and click check online.

upgrader

Keep in mind that we have done our best to make sure this is safe enough for production use but we cannot account for all use cases. There are likely still bugs unaccounted for and you may be the one to find them. Before updating please make a backup. As a BETA this is not recommended for production use.

We put a heavy focus on the core open source code that is FreePBX. If you use any of our premium add on modules to enhance the FreePBX experience, they may not be fully functional.  If you use commercial modules update with caution.

Please file a ticket for any bugs you find at http://issues.freepbx.org

Please give feedback and feel free to ask questions on our forums at http://community.freepbx.org

Thank you for using FreePBX

 

 

Critical FreePBX RCE Vulnerability (ALL Versions)

CVE: 2014-7235
Date: 2014-09-30
Author: James Finstrom
Ticket: http://issues.freepbx.org/browse/FREEPBX-8070


We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.

This exploit allows users to bypass authentication and gain full “Administrator” access to the FreePBX server when the ARI module is present, which may then be used to grant the attacker full remote code execution access as the user running the Apache process.
We have released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12 per our security policy which covers releases that have come out over the last 3.5 years. Versions 2.8 and prior can be easily updated to 2.9 or higher through Module Admin which will remove the vulnerability. Versions 2.11 and 12 are the only officially supported versions of FreePBX but we always apply security patches to the two prior versions as well.

Users prior to FreePBX 12 should update FreePBX ARI Framework to version 2.11.1.5 immediately.

FreePBX 12 users should disable and uninstall the legacy FreePBX ARI Framework module and switch to the new User Control Panel, which is not to be confused with the previous ‘User Control Panel Tab’. 
Please note that indications of a compromised system include the presence of an “System Admin Dashboard” also called “admindashboard” module, the files c2.pl and/or c.sh.

 

If you are using the FreePBX Distro we have fixed this with upgrade scripts 5.211.65-19 and 6.12.65-18. As always review the wiki here on how to keep your FreePBX Distro system updated.

If these are present then your system has potentially been compromised. You should urgently remove this module via a system shell. 
Due to various differences between machines, your AMPWEBROOT may be in /var/www/admin,/var/www/html/admin, or potentially any other place.
To determine the location, if you are unaware, it is visible in the Advanced Settings page, as ‘FreePBX Web Root Dir’. FreePBX Distro based machines are set to ‘/var/www/html’
First, run the command:

 

rm -rf AMPWEBROOT/admin/modules/admindashboard

replacing the ‘AMPWEBROOT’ with the system setting.
Then run the following command to remove all traces of it from FreePBX

 

amportal a ma delete admindashboard

There will be an error output saying that uninstallation scripts failed to run, however this is expected, and is signifying that the module was removed successfully.

You must also remove any references to c2.pl or c.sh. which can be found by running the commands:

 

updatedb
locate c2.pl
locate c.sh

We have also noticed that additional Administrator users may have been created as part of a scripted attack. We urge you to verify that your machine does not have any additional unknown ‘Administrator’ users in the “Administrators” page.

Please note the FreePBX ARI Framework module used an independent authentication scheme and does not relate to the FreePBX authentication settings of none, database or web server.

Remember the best practice to avoid risk is to not expose your system to the public internet.

In FreePBX 12 we have implemented module signing which was a key element in identifying this issue. 


Users of FreePBX 12 should always take note of the tamper and/or unsigned module notices that show in their system.

 

Schmooze Com takes security of FreePBX and our other communications products seriously. In practice there are more eyes on the code in open source software than there are in closed source software, however the truth of the matter is security of any technological product is not determined by the method of distribution. This year’s earlier issues with the Heart-bleed Open SSL security defect brought to light not only how much of an impact open source software has on the entire Internet infrastructure, but emphasized the fact that we must continually improve the tools we provide our developers and community to review and scrutinize our codebase for potential security issues and bugs.

Since it’s inception FreePBX has had source and ticket management tools in place to provide transparency to our users. We continue to make huge investments in time, energy, and infrastructure to continually improve these tools. When security problems are found in open source software, the visibility of the code and ease of use provided by these new management tools allow diverse teams to collaborate and contribute code fixes. Bug and security fixes are often available within a matter of hours.

If you find a potential bug in FreePBX you can open a ticket at issues.freepbx.org

Or for potential security related issues, send an email to the security team at security@freepbx.org

CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score  - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8
Overall CVSS Score - 6

The end of 3rd party Google Voice access

Back six months ago Google announced they would discontinue the mechanism that allowed 3rd party applications to access the Google voice services. This day is rapidly approaching and as it does the services that acted as as a gateway are also winding down.  The big day is May 15th, 2014 and anyone who missed the memo will be left in the cold. I would like to encourage any users who are currently utilizing these back doors and gateways to move on sooner than later. This will allow a smoother transition than a last minute “everythings down what now” approach.  This time will also give you a chance to research VOIP providers.  Once you have a VOIP provider you can forward your google voice number to that DID.

While you are researching VOIP providers may I remind you that using SIPStation also supports the FreePBX project and it’s continued development. Also there is a SIPStation FreePBX Module that makes configuration a breeze.

If you decide to go with SIPStation and don’t wish to rely on the future availability of the service or forwarding function you may also port your Google Voice number over to SIPStation.

Watch this video for more information on the SIPStation FreePBX Module.

 

James Finstrom
FreePBX Community Manager

 

 

New User Management Module Added to FreePBX

If you dont have your FreePBX system setup to provide you notifications of updates you should. For those who do you will have received notice of a new module named “userman”. I am pleased to announce the “User Management” module This module lays the groundwork for the future of how you manage users in FreePBX and in how users will manage themselves.

This module is replacing several modules that have attempted to create and manage users separate from the Extensions module. Modules such as iSymphony, Xactview and RESTAPI are a few examples.. This tackles the task and is written in to FreePBX by the FreePBX team. This module is available now under module administration.

Immediately this application will begin managing users for the FreePBX XMPP Instant Messaging Application, as well as FreePBX Phone Apps (REST APPS) applications, available for Digium, Yealink and Aastra phones.

In the next version of FreePBX (ver. 12) this module will manage the access to our new User Control Panel (UCP) The old User Panel (ARI) created credentials by using the extension and voicemail passcode of the extension as the log in. This created some obvious security concerns. With the new User Management Module and upcoming UCP you will be able to create and easily manage complex usernames and passwords for access to UCP, as well as other easily unifying your credentials across multiple applications such as desktop operator panels like iSymphony and Xactview, and the built in Instant Messaging platform already built into the FreePBX Distro. You will still have hooks into the Extensions Module to manage individual usernames at the extension level, however system admins will appreciate the fact that you can quickly manage all of your users credentials from one location.

In the example shown we created a username of schmooze for Preston McNair , this user name has access to view and manage all of the devices and extensions assigned to Preston.

The Module then allows us granular control over which applications Schmooze can access and allows the creating of tokens for use with the FreePBX REST API to allow this user access to these features.

On Behalf of the FreePBX/Schmooze Team,

James Finstrom FreePBX Community Manager

James Finstrom, FreePBX Community Manager 

   

 Connect with Us:

 

Copyright © 2014, Schmooze Com, Inc. FreePBX is a Registered Trademark of Schmooze Com, Inc.
All Rights Reserved.