Security Notice

Earlier this week we detected a breach to one of our servers as a result of a vulnerability in the OpenX Open Source project that was reported earlier this month. We utilize OpenX within the server infrastructure. The hacker got to our system prior to us updating the server.

We closed the security hole upon detecting it and have spent many dozens of engineering hours scanning through our systems to isolate areas that might have been compromised.

Shortly into this process, one of our community members reported an anomaly in a Distro upgrade script that was quickly tracked down to a compromised upgrade script on our server. We were able to contain this issue quickly such that only 8 other customers downloaded the script.

Before elaborating on the breach I want to take the opportunity to talk about something positive in the mist of this ugly issue. Our upgrade scripts are open, human readable scripts. As such, thousands of eyes can review our work and it was this process that helped quickly discover and contain the vulnerability. For that we are very grateful!

The vulnerability in the upgrade script does the following. Upon running the upgrade it goes out to a pastebin site and installs a very small script to the following location on the compromised system :


That script is designed to receive two parameters: a password and an arbitrary string that can be decoded and executed in PHP on the compromised server. Since the upgrade script goes out to an anonymous pastebin site to download and install faris.php, the hacker does not know about the compromised system. Therefore, the hacker is not able to directly track the system. This means the hacker must randomly scan the entire internet seeking out systems open to the internet that respond to an http request to the faris.php script. As is the case with many vulnerabilities, the hacker probably had scripts running around the internet looking for this faris.php script so it can download and execute an unknown attack. Our efforts tracking down this vulnerability made it clear that this hacker has compromised other projects and there are certainly scripts out there looking for faris.php Since the hacker protected their vulnerability with a password that is hashed, it makes it extremely difficult for ‘[i]copy-cat[/i]’ hackers to write and scan the internet for such compromised systems to do their own damage.

We are looking at mechanisms to put in place to help further protect against a vulnerability such as this. The FreePBX module admin already has a cross check to md5 hashes when downloading module upgrades. That mechanism is an improvement though by far not immune to being fooled. We are examining the Distro upgrade script process as well as the current Module Admin system to plan on future improvements to further cross check against such attacks or general download corruption.

Although we are still scanning various systems, we feel this is probably the extent of the damage done by this compromise. If we find other issues that need communicating we will do such.

[b]The FreePBX Team[/b]

FreePBX 2.11 Final

If you’ve been on top of the online module repository then you may have noticed that the last Framework and Core update brought your 2.11 system up to final release state. As we discussed in [url=/news/2013-04-18/quick-release-candidate-and-otts-space-still-available] one of our last blogs[/url] this has been a long release but we are excited to mark it final and equally excited to see how many systems out there are running it in production!

To try and go through a run down of what 2.11 added would be a bit too overwhelming for a blog post. We encourage you to join the 15,000 or more 2.11 users out there in experiencing all the great work we’ve done! If you want a first hand walkthrough and enjoy making last minute plans, there’s still a couple seats left in next weeks [url=/training]OTTS FreePBX training at Digium Headquarters in Huntsville, AL[/url].

With 2.11 behind us we’ll probably be taking a short breather and while doing such, expect to see some updates to the “trac” side of the website where we will be migrating it to some much improved ticketing and tracking tools that Andrew (tm1000) has been doing such a great job working on. That will also solve the problem that many of you have had not being able to add attachments to trac tickets that we ran into in a server upgrade a few months ago.

Moving forward, the development team has already spent some time with the Asterisk developers to comprehend the huge upcoming changes in Asterisk 12 later this year. This is going to involve a huge effort on our part given the entire SIP stack has been replaced and significant other chunks such as the Asterisk manager have changed drastically. There will be a huge burden on the part of the FreePBX team to adapt to these changes and enable the rest of the eco system to follow suit!

For now, go upgrade your systems to 2.11 if you’ve been waiting for this “official” milestone and see what the last many months has in store for you!

Philippe – On behalf of the FreePBX and Schmooze Team!

More Routing and Trunking Enhancements in 2.11

Back again with a few more features being added to the Routing and Trunks category though this time targeted at 2.11. Tony told you about the [url=/news/2012-09-20/freepbx-extension-routing-module]Extension Routing module[/url] a week or so ago which resulted in a lot of positive feedback and happy community members who have wanted a simple solution to this problem. While we were messing around with this part of the code I thought I’d address a handful of other requests that have been outstanding in this area!

To recap [url=/news/2012-09-20/freepbx-extension-routing-module]Extension Routing[/url], this was the introduction of a module available on 2.10 that allows you to restrict extensions to certain routes in a simple and easy to understand way. [url=/news/2012-09-20/freepbx-extension-routing-module]Tony’s blog post[/url] goes into a lot more detail if you didn’t get a chance to read it.

[b]Outbound Route Destinations[/b]

The first of today’s highlighted features is the addition of an optional [i]Destination[/i] that can be chosen for an Outbound Route. This dialplan destination would be followed if all the trunks configured reported some form of CONGESTION and you wanted to do something more creative [float=right]Route Destinations[/float]with the call then simply playing one of the messages configurable from the Route Congestion Messages module. A simple use case for this might be a custom announcement for all 900 phone numbers informing your users that these numbers are not allowed. You can route a call to any other destination you have on your system where I’m sure our user base will come up with all sorts of creative uses for this feature!

[b]Outbound Route Recording[/b]

When we re-engineered Call Recording in 2.10 we added the ability to force a call to be recorded based on the inbound DID it came in, within Modules like Ring Groups, Queues and Conferences or though a specific call flow directive. The last loose end was forcing all calls out a specific route to be recorded, just like the setting with inbound routes. That’s now been implemented in 2.11.

[b]Trunk Fail-Over on Busy[/b]

Something that comes up repeatedly in the forums are users running into carriers that don’t know how to signal properly. The carrier will send back a BUSY when they should have been sending back a CONGESTION. A BUSY is suppose to mean the far end destination you just tried does not want or can’t be bothered at the moment. Given this ‘proper’ interpretation FreePBX does not bother to fail over [float=left]Busy Trunk as Congested[/float]to the next trunk since the message was clear, [b]THEY ARE BUSY![/b], and another trunk is not going to tell you something differently! In order to get around these carrier issues, we’ve added a per-trunk feature so you can configure any one or multiple trunks to ‘always’ fail over to the next trunk if they can’t get the far end ringing. This is not limited to the BUSY scenario, your carrier might be signaling a number as invalid because their switch is programmed improperly or for other reasons. When configured, this will always overflow to the next trunk or configured destination on an un-successfrul call attempt.

These new features will all require 2.11 to take advantage of and with Astricon fast approaching, I’ll try to get a proper 2.11 beta tarball rolled this week so you don’t have to pull these from SVN if you want to get started with them early. Of course don’t let me stop you from grabbing the code now!

Speaking of Astricon, a bunch of us plan on being there this year and we’ll have a booth as well so come by and say hi and see what we are up to!

For now, give us feedback on these features or other other ideas this might trigger since it’s always a good time to make sure “long ignored features” show up on our radar when we are in a push to get a release finished!

[b]Philippe[/b] on behalf of the FreePBX Team!

[b]P.S.[/b] We haven’t touched on the [url=/news/2012-08-16/seeking-feedback-on-new-website-design]New Website Design[/url] in a while. We’ve been looking for an experienced Drupal developer to help with the implementation of the new design. This includes both the Drupal backend configuration and migration as well as Drupal Theme design for the new look we are shooting for. If you know someone you can recommend, can you please PM me with that information? We have funds to do this so it doesn’t have to be free though it isn’t going to be a ‘huge’ project either. Thanks!

Update on 2.11 and Full ISO Distro

I’ve been back from Spring break for a week so time for an update. I’ll go over some of the CEL (Call Event Log) work, talk a bit about some security “auditing” additions I’ve been adding to Module Admin, and give you a preview on some great work towards a full FreePBX Distro ISO (vs. netinstall) that Tony has been working on! We also have a great [url=]FreePBX Appliance[/url] that has been added to the store and some new [url=]Support Peace of Mind (POMPS)[/url] service offerings to compliment the existing paid services. Lastly, if you are procrastinating registering for the next [url=/open-telephony-training-seminar]Open Telephony Training Seminar[/url] time is running out so [url=/open-telephony-training-seminar-register]go register now[/url] to assure your spot!

FreePBX 2.11

Version 2.11 is still very much in an “alpha” phase with no tarball available yet. We’ll work on branching trunk to 2.11 shortly and make it a bit easier to start reviewing. Some work has started with the Asterisk CEL technology and I made some checkins yesterday into the 2.11 branch of the CDR reporting module. Unix ODBC, Asterisk ODBC, CEL and CEL ODBC support are all required in order to get the module working the way it has been initially implemented. All the required RPMs are available through [i]yum[/i] on the Distro though no configuration work has yet been done. Much of this is at the Distro level which we have not attacked at this time, but we’ve included a zipped file with instructions in the 2.11 CDR module that makes it pretty easy to configure if you want to start playing with it. We would like early adopters who are very interested in CEL to get their hands dirty and provide feedback and suggestions before we move forward heavily on an implementation path.

Once you’ve configured CEL, the current CDR Reports module will allow you to click on any CDR record resulting in a full list of CEL events associated with that record, as well as a display of all the CDR records that are part of the same call. You can now have fun with call pickups, transfers, parking, etc. and see all the events that make up that single call, as well as all the CDR records which are in fact the same call.

The CELs are ultimately designed around getting more accurate billing data but our initial goal is to simply get the technology out and into FreePBX hoping this results in creative ideas or third party modules taking advantage of this and delivering some very useful functionality.

Security is always a critical area that gets people’s attention. We [url=/news/2012-03-26/security-concerns-2-11-updates-and-expiring-early-bird-specials]patched a serious security vulnerability[/url] several weeks ago but despite that, we continued to see reports of people being hacked well after the fixes were available for easy detection and installation from the online repository. We decided to embark on some ideas that may help highlight vulnerable modules installed on a system that are known to contain security vulnerabilities. When this work is finished, Module Admin will highlight known vulnerable modules so they are very obvious and add security notifications into the notification panel. If you are setup to receive emails from Module Admin, then these security issues will also be emailed to you. We’ll blog more details about this in the coming weeks since there’s a lot more to talk about and this blog is already getting pretty long!

FreePBX Distro and Appliance

The FreePBX Distro has been a great success and the endless work from Tony and the Schmooze Com, Inc team has been awesome! Up until now loading the Distro requires a [i]netInstall[/i] which works fine for most situations but has resulted in a lot of requests for a full ISO download. Tony has tackled this problem and will tell you a lot more about this in the next blog so stay tuned. As always, he’s gone the extra mile to deliver you more then just a basic ISO!

[float=left] FreePBX Appliance
[/float] We’ll take a moment to point you at the absolute and simplest way to load up your system, which would be with the [url=]FreePBX Appliance[/url] that has been sitting in the [url=]FreePBX Store[/url] for some time with a lot of happy customers. The [url=]FreePBX Classic[/url] is a great solution for most installations including standard features such as dual mirrored (RAID1) drives, a fantastic form factor with minimal moving parts and even [url=]FreePBX Support Credits[/url] to get you started. For a really beefy and/or rack mountable solution that won’t run you much more there’s the [url=]FreePBX Xtreme[/url] which packs higher CPU, memory, expandability and more. You can get much more details on these great appliance [url=]in the store[/url] and they all come pre configured with the FreePBX Distro on top of high quality hardware components!

If a fully supported appliance from the world class team that brings you this great project doesn’t give you all the [url=]Peace of Mind[/url] you require, have a look at the new [url=]POMPS[/url] support contracts now available from the [url=/freepbx-official-paid-support]FreePBX Support and Services[/url] team! With these offerings SLA levels up to 24×7 support are now available whether running your own hardware or one of these great appliances! Check the [url=]Store[/url] to get all the details.

Open Telephony Training Seminar

The next [url=/open-telephony-training-seminar]OTTS[/url] event is coming up in less than 4 weeks and the last two seminars completely sold out! If you are thinking of joining us in the Twin Cities next month then make sure to [url=/open-telephony-training-seminar-register]register now![/url] We look forward to seeing some of you there!

Back to coding for now, we’ll be back shortly with more details on the ISO and the Security Notification work that is being worked on!

Philippe – On behalf of the FreePBX Team

[url=]Get details on the FreePBX Appliance Here[/url] [url=]FreePBX Support Services including Great POMP Offerings[/url] [url=/open-telephony-training-seminar]Training Opportunities with OTTS[/url]

What are we thinking about for 2.11

With 2.10 finalized and humming along on thousands of systems, it’s time to start deciding what to do for the next release. With the current trend of double digit release numbers, maybe we should name it 11 instead of 2.11? If you have an opinion feel free to express it but for now let’s discuss more interesting topics, like what should be in it!! Some of us developers got on a phone conference last week to start this dialog. We’ve got some ideas which I’ll express next but as always we want to hear from you!

For starters, our general consensus was to target the next Astricon for a release timeframe. Astricon is held annually towards the end of October, so that gives us about 7 months from now. We kept the discussion at a high level with the expectation to summarize here and begin to get your feedback on things to work on. From an Asterisk perspective, we will support the current LTR (Long Term Release) of Asterisk 1.8, plus 10 and 11 which will be the next LTR due out about that time also.

One big change in Asterisk 10 is the rewrite of the [i]ConfBridge[/i] application. MeetMe has been the [i]”primary”[/i] conferencing application prior to 10 but has some problematic requirements which also keep it form handling wide band codecs. The Asterisk team rewrote what looks to be an awesome new version of the ConfBridge application which has so much flexibility and power that it deserves a complete rewrite of our conferencing module in FreePBX! In order to get some early exposure to the new ConfBridge, we’ll add support in the current Conferencing Module for FreePBX 2.10, but the real flexibility won’t come until the module get’s rewritten!

The biggest undertaking for 2.11 is to finally replace the User Portal (ARI – Asterisk Recording Interface) with a new and modern version that is written from the ground up. Schmooze Com, Inc has stepped up to the plate with the current intention of leading up this effort and providing significant contributions to the rewrite.This will be an ambitious undertaking and we are very excited that it is en-route to becoming a reality!

Another technology we discussed investigating is the ability to remotely monitor [i]ExtensionState[/i] information (Asterisk [i]”hints”[/i]) between two or more PBX systems. This underlying technology uses XMPP as its transport mechanism and requires an outside XMPP server to configure and run. Potential applications range from BLF enabled buttons that monitor remote extensions at another branch, to ExtensionState information about remote queue members being available to the local queue, to separate Voicemail Servers with MWI information available locally and more. Our starting point will be an investigation and then explore what we might do to take advantage of it. Ward (from Nerd Vittles) indicated some interest in getting a test bed up and going but if anyone else out there wants to join the party and help with the effort you would be more than welcome!

We’ve also started exploring the Call Event Logging (CEL) infrastructure added to Asterisk 1.8. The CEL is an event based subsystem with the focus of comprehensive [i]”billing”[/i] systems in mind. Today, we have the CDR records that form the basis of our call reports. These have some use but a lot of limitations and can often be difficult to read. What becomes particularly hard is to try and track a complex call that may go through various stages such as attended and blind transfers, call pickups, parking and more. With CEL, you will get MANY more events from a given call, but it’s possible to process those events in such a way that we can group all information related to a single call which becomes quite useful for someone trying to bill for or otherwise account for a full call flow. The CEL subsystem is quite flexible so there are a lot of possibilities available. We expect 2.11 will be just the beginning!

There was some additional discussion including what level of support we should or even could provide to Google Voice if a developer were able to commit to keeping after it, as well as CallerID Superfecta which currently is not at all in our control as it is not even housed in any of our repositories. For the most part though, we were looking at the above “bigger” technologies we want to play with and hopefully introduce and then come here to start asking you to throw out your ideas. We will be digging through the feature request tickets as is always the case but your comments are very welcome here so please feel free to fire away!

As a quick side note, May is approaching faster then expected, as well as the end of March deadline for Early Bird Pricing on the upcoming [url=/open-telephony-training-seminar]OTTS training coming to Minneapolis, MN[/url] so if that’s something you are considering don’t procrastinate too long and miss out on the savings! Signups have already started and the last two events ended up selling out so make sure to reserve your spot!

For now, let us know what your ideas are for the next FreePBX release!

[b]Philippe[/b] – On Behalf of the FreePBX Team!