This past week saw two noteworthy threads posted to the FreePBX community forum separated by a few days; independent reports of a “Tampered File Warning” showing up in the FreePBX dashboard. This warning is connected to a core security feature of FreePBX. In FreePBX (and PBXact) each module is published with a signature, and in the event that any FreePBX file is altered from its published state, a security warning is generated on the dashboard; and, if enabled, also by email. If such a warning appears on your FreePBX system, it’s important to identify what is happening; DON’T ignore it! In this case, both reporters of the issue were running a popular, third party Asterisk operator console application, and both reporters had permitted access to the FreePBX Admin GUI and the console application from untrusted source IPs.
While working with one of the reporters and digging a little deeper, the initial findings were that the FreePBX framework file was allowed to be modified by leveraging some code in the third party operator console application. It was later determined that the leveraged code was also spurious, so the question then became, “How did the malicious code come to be present in the operator console application?” At the time of writing, some details are still emerging, but it looks like the FreePBX dashboard warning may have revealed a previously unknown exploit in the operator console application. This announcement provides details, describes a work around and has details from the publisher for a fix.
While it’s never great when an exploit is found in the wild like this, there are some positive aspects to this story. First, the FreePBX module security system worked exactly as intended, and did so promptly. Once the FreePBX file was tampered with, PBX administrators got notifications of the event. Users then sought the expertise from the Community Forum, which generated the attention that this issue needed. Second, events like this serve as a reminder for all of us to take a disciplined approach to PBX security. Employ good security practices such as to deny access by default to critical services, particularly to the Admin GUI and operator consoles. Had access been limited only to trusted source IPs, this weakness might not have been exploited in the first place.
The FreePBX Distro includes many security tools, the most important of which is the Firewall module. For those needing to learn more or wanting a refresher on FreePBX Security features, check out the Firewall wiki pages, any of the Open Source Pro Tips videos such as this one about the Firewall, and the System Admin wiki pages. There’s a wealth of other information in the wiki, like this security checklist. And, as always, there’s a standing invitation to join us over on the FreePBX community forum to ask questions and share answers.