Security Concerns, 2.11 Updates and Expiring Early Bird Specials

We continue to make progress playing with the various technology efforts that we have planned for 2.11, mentioned in the [url=/news/2012-03-13/what-are-we-thinking-about-for-2-11]last blog post.[/url] While at it we also continue to plug the miscellaneous bugs that always surface after a final release, and just in general. For as much as we changed in 2.10, it’s been pretty smooth sailing! In addition to updating you on the 2.11 efforts, we’ll update you on a recent Security Vulnerability that has been addressed and some thoughts it provoked on the subject. Lastly, if you’re thinking about OTTS, the [url=/open-telephony-training-seminar-register]Early Bird Special expires Saturday[/url] so don’t procrastinate too long if you would like to save a few hundred dollars!

First, a quick word on the Security issue since that usually peeks people’s interests. There were a couple threads in the forums about a security report that included a handful of XSS (Cross Site Scripting) vulnerabilities and one RCE (Remote Command Execution) one. First of all, if you have all your modules up-to-date then you are safe from these specific vulnerabilities as they have been addressed. All but one of the XSS ones had already been removed in 2.10 already. Our standard policy is to fix the currently supported releases (2.9 and 2.10) as well as the previous two releases though in this case I pushed the fixes back to 2.6.

A few words on the RCE vulnerability. This was a breach that would allow an attacker to penetrate your system and run any arbitrary Linux command. In most installations, including the FreePBX Distro, this means that they could get access to any command that user asterisk has privileges to run thus allowing significant damage to be done. Some Distros, such as trixbox systems (for those of you still running trixbox) and Elastix, allow user asterisk to [i]sudo[/i] (change) to root for some commands and as such, the exploit could get access to the root user. Whether penetrated as the asterisk user or the root user, both are very bad though as root even more damage can be done. I will stress that a system properly protected such that http access is not allowed without a secure VPN was not at risk from the internet, though still vulnerable from a malicious user with local access. (Technically, one could do an XSS style attack to trick a local user into triggering the RCE vulnerability as well.) This issue has been fixed, but the potential for damage is again echoed that allowing http access poses significant risk. Though now fixed, there are certainly other dormant vulnerabilities not yet discovered so think twice before exposing http access outside of VPN protection.

If you go to Module Admin, or have it run automatically, you will have seen (or will see if you haven’t done it yet) that there are module updates available and if you review the changelogs for the modules, you will see references to this recent security issue. If you are happy just updating all your modules, which is usually a fairly safe thing to do, then you are covered. However, this got us thinking of ways that we might help to better bring to your attention any critical updates that are necessary to address known vulnerabilities. The FreePBX notification systems currently has the ability to post very visible security updates in the panel, and in the case where you have provided an email address to be notified of module updates, it will also send an email notifying you of these issues. What we are looking at doing in 2.11 is adding additional information to the Module Admin XML data that get’s retrieved when that would allow your PBX to do an analysis of your current module versions and properly warn you through these mechanisms if it detects that you have vulnerable versions of any modules known to be fixed. This would provide those of you more cautious in applying updates with prompt warnings without having to actively dig through all the module changelogs each time one is published.

Security aside, back to looking forward. One of the areas discussed is the CEL (Call Event Logging) subsystem in Asterisk. I’ve been playing around with this a bit and it does provide for some interesting and very voluminous data if you enable all the events that Asterisk has to offer, and that doesn’t include any user defined events which we will be sure to add into FreePBX. It’s still very early so we’ve only started playing with the technology. Some of the current talk for initial introduction is to simply allow for any current CDR record to be clicked and by doing such, you will receive the full set of CEL records that make up that call. In some cases, there can be multiple CDR records that are all from a single call. In those cases, regardless of which of those you clicked on, you would still receive the full CEL thread related to that single call. At this point we’ve determined how to obtain that full list consistently. What’s left are many more decisions to be made from how to best log the transactions, which events to log, which fields to log, how to best present the data and more. The main goal for this release is going to be getting this exposed. Once exposed and easily configured in FreePBX, more ideas from you and great third party tools are sure to follow.

The User Portal efforts headed up by Schmooze Com, Inc is also quite in it’s infancy. At this point the things we are running into this early in the game are flushing out some of those dark and aging areas inside of FreePBX that are well due to be replaced in order to further facilitate the new work we want to do. This has always been referred to as the various ‘internal plumbing’ that over time we continue to replace; something that is usually not very visible to the end user but critical and necessary to assure FreePBX continues to be the great product that we are all so happy with.

I did not sync up with Ward before writing this blog to determine if any progress has been made on the XMPP enabled “remote hints” that I mentioned in the last blog post. Hopefully we’ll know if work has been done in that space next time we have some updates!

As a quick reminder, the next [url=/open-telephony-training-seminar]Open Telephony Training Seminar[/url] is quickly approaching and with the [url=/open-telephony-training-seminar-register]Early Bird Special[/url] ending Saturday, March 31st, now’s the time to save yourselves a few hundred dollars and make sure you have an opportunity be part of our upcoming training!

[b]Philippe[/b] – On Behalf of the FreePBX Team!

One thought on “Security Concerns, 2.11 Updates and Expiring Early Bird Specials

Leave a Reply