Summary:
- Ensure that all FreePBX/PBXact modules are up to date
- Always monitor and follow up on security notifications from your PBX
- Ensure that you are on supported FreePBX/PBXact version 15 or greater
- EOL versions of FreePBX/PBXact (14 or older) do not get security updates or bug fixes!
Security Vulnerability SEC-2023-001
Hello all. By now, administrators of FreePBX and PBXact versions 15 and 16 will have seen their dashboard and email notifications from September 5, 2023, that a new security update was available for the Endpoint Manager and Phone Apps modules. SEC-2023-001 identifies and resolves a vulnerability with insufficiently strong authentication in the Phone Apps web service that could potentially allow a malicious actor to brute force the service and gain access to the PBX internals as if from a trusted client/device. If you’ve not already done so, please take a moment now to ensure that all PBX modules are fully up to date. Checking online from Module Admin should immediately show any modules that have pending security updates.
FreePBX/PBXact Security
SEC-2023-001 has a few requirements to be satisfied in order for a system to be vulnerable, but the primary one is that the Phone Apps web service would have to be exposed to untrusted IP traffic. By default, the FreePBX firewall ensures that access to the Phone Apps service is limited to trusted traffic only, and generally it shouldn’t be necessary to expose this service to the external zone. Always remember that for those who need SIP registration from external zones where the source IP can’t be determined in advance, the Responsive feature of the firewall module will dynamically allow access to the source IPs of registered SIP clients to other ancillary services such as the Phone Apps web service.
Security Notifications
The primary notification method for FreePBX security updates is through FreePBX Module Admin. Any module update that is marked as a security update will automatically generate PBX dashboard and email notifications. Note also that there is an option in Module Admin to enable automatic installation of security updates, which is the fastest way to ensure your PBX gets security updates.
Sangoma acknowledges that the security communication procedure might not be adequate to reach all affected users therefore we are committing to updating and consolidating our security notification procedures in the wiki and will be sharing in the coming weeks.
Additional Reported Security Issues
The details of SEC-2023-001 were reported in May 2023 by Systems Research Group and we thank them for their report. At that time, Systems Research Group reported three other issues, all three of which first required an administrator to successfully login to the Admin GUI before the vulnerability could be leveraged. If the logged in administrator had restricted GUI privileges, the vulnerability could allow privilege escalation so that they could gain more access to the Admin GUI modules than otherwise permitted. The following modules were flagged, and updates published in May as follows:
- Phone Apps v15.0.40.17 and v16.0.34.17 published to Edge May 16 2023
- Sangoma Property Management v15.0.8 and v16.0.23 published to Edge May 16 2023
- API v15.0.10 and api v16.0.12 published to Edge May 17, 2023
We’ve very recently learned that the fix published for the API module was not completely effective, so work on a full resolution is being prioritized now. We’ll publish a security update for this shortly. [EDIT 2023-09-26 this is published now as API module versions 15.0.11 and 16.0.13 – read about it here SEC-2023-002]
EOL FreePBX/PBXact Versions are not supported!
The FreePBX project currently supports FreePBX and PBXact versions 15 and 16 only. It is possible that some of the vulnerabilities described above are present in FreePBX 14 or older. We are periodically reminded that there are still older versions running and in production, and unsupported versions don’t get any security fixes or bug updates. Anyone running an unsupported version, is strongly encouraged to make a plan to upgrade now or contact Sangoma Sales/Support to get prompt assistance.