FreePBX / PBX in a Flash
From VoIP.ms Wiki
| [quality revision] | [quality revision] |
(→Important Security Information) |
|||
| Line 3: | Line 3: | ||
We are aware of an '''important''' and '''critical exploit''' related to all FreePBX versions prior to 12. This Zero-Day Remote Code Execution and Privilege Escalation exploit allows users to bypass authentication and gain ‘Full Administrator’ access to the FreePBX server when the ‘FreePBX ARI Framework module/Asterisk Recording Interface (ARI)’ is present on the system. This vulnerability may offer to any non authorized user full remote code execution access as the user running the Apache process. This exploit can be present also for users who have updated to version 12 from a prior version and did not remove the legacy FreePBX ARI Framework module. | We are aware of an '''important''' and '''critical exploit''' related to all FreePBX versions prior to 12. This Zero-Day Remote Code Execution and Privilege Escalation exploit allows users to bypass authentication and gain ‘Full Administrator’ access to the FreePBX server when the ‘FreePBX ARI Framework module/Asterisk Recording Interface (ARI)’ is present on the system. This vulnerability may offer to any non authorized user full remote code execution access as the user running the Apache process. This exploit can be present also for users who have updated to version 12 from a prior version and did not remove the legacy FreePBX ARI Framework module. | ||
| - | + | Here are some recommendations for their product from the freepbx.org website for protection against this issue: http://www.freepbx.org/critical-freepbx-rce-vulnerability-all-versions/ | |
==FreePBX / PBX in a Flash (SIP) Configuration== | ==FreePBX / PBX in a Flash (SIP) Configuration== | ||
Revision as of 17:28, 7 July 2015
Important Security Information
We are aware of an important and critical exploit related to all FreePBX versions prior to 12. This Zero-Day Remote Code Execution and Privilege Escalation exploit allows users to bypass authentication and gain ‘Full Administrator’ access to the FreePBX server when the ‘FreePBX ARI Framework module/Asterisk Recording Interface (ARI)’ is present on the system. This vulnerability may offer to any non authorized user full remote code execution access as the user running the Apache process. This exploit can be present also for users who have updated to version 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.
Here are some recommendations for their product from the freepbx.org website for protection against this issue: http://www.freepbx.org/critical-freepbx-rce-vulnerability-all-versions/
FreePBX / PBX in a Flash (SIP) Configuration
Fill the blanks with your information, please note that the images above are just examples.
canreinvite=nonat nat=yes context=from-trunk host=atlanta.voip.ms (one of our multiple servers, you can choose the one closer to your location) secret=***** (password associated with the Main or Sub-account) type=peer username=100000 (Replace with your 6 digit Main SIP Account User ID or Sub Account username, i.e. 123456 or 123456_sub) disallow=all allow=ulaw ; allow=g729 ; uncomment if you purchased g.729 from Digium fromuser=100000 (Replace with your 6 digit Main SIP Account User ID or Sub Account username, i.e. 123456 or 123456_sub) trustrpid=yes sendrpid=yes insecure=invite qualify=yes
Register String: youraccountnumber:[email protected]:5060 (i.e. 123456:[email protected]:5060)
