FreePBX (All Versions) RCE

[rob . thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

We would like to announce that a significant security vulnerability has been 
discovered in all current versions of FreePBX.

A CVE has been requested from Mitre, but has yet to be provided.

Further details as they come to hand will be available from 
http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions/24536
 which should be treated as the authoritative source of information. The CVE, 
when provided, will be linked from there.

There is also futher information available there about how to detect and remove 
any potential intrusion to your FreePBX machine.

Summary:
A remote attacker can bypass authentication and create a false FreePBX 
Administrator account, which will then let them perform any action on a FreePBX 
system as the FreePBX user (which is often 'asterisk' or 'apache').

This vulnerability is caused by the improper use of 'unserialize' in a legacy 
package that has been deprecated in the latest versions of FreePBX, but is 
still in common use.

An emergency security release has been pushed to resolve this for all supported 
versions (12, 2.11, and 2.10) as well as an emergency backport to 2.9, which is 
outside of our normal supported environment.

If you are running a version prior to 2.9, and are unable to upgrade, the patch 
is available below.

The fixed module versions are:
2.9: fw_ari v2.9.0.9
2.10: fw_ari v2.11.1.5
2.11: fw_ari v2.11.1.5 (not a typo, it’s the same module version)

In FreePBX 12 ARI is deprecated in favour of the new User Control Panel, but 
ARI is available as a legacy package if required, as version 12.0.5.

All versions lower than this are vulnerable and should be removed if unable to 
be upgraded.

Note that disabling them will NOT resolve this issue, the files must be removed 
or patched.

This issue was discovered by a signature verification failure on a FreePBX 12 
system, and the attack appeared to be scripted. As such, this attack should be 
considered to be 'in the wild', and upgrades should be actioned with the utmost 
urgency.

FreePBX and Schmooze takes security very seriously, and treat all security 
issues as a critical event.  We urge anyone who has discovered a security 
vulnerability in FreePBX, or its associated projects, to email 
secur...@freepbx.org for an immediate response.

We also continue our recommendation that your FreePBX machines are explicitly 
firewalled from public access from the internet.

Additional Details:

Overall CVSS Score - 6

CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score  - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8

Link to patch:
https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836

FreePBX Security Team,
Schmooze Com Inc
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJUK1tIAAoJEFH1to0lFV3LLXYQALYBvxM8dNl7GZKoB5WOKIgK
gLXW7L9r3FfCOaFDHNoleexa/rnfnstzCRoRjFrittEC/Terj1NeY0hBtW4CPM8G
29fwNTeaeS1qtWnGNHs4E2cI4NGrn9OisLIHrXIBnLAkw83u1DmB3eL2d5haeek9
z5A5lK8p7uDLlOhSs+6IUVpk2r/P27shFOexrW1TfLZ8pghBkW32WUeROH/S6aRI
YnQpy99hJ3ei2JNYtT+jtIuylXOI+FNgfdf4GS60Qi2kTLoeRIM+y+n9+RYCNQer
65vPHN0nijkyTOTnlGXu+2o7Onb+jQrH16cUgvNrLSUn11REkJDXvfL1VL9fdZ7V
yRw1hAjkW77RmIOObvzRu2WMBi9uzuJTTmHGpywuTB30hbcwttZZYXXGD4Ukj66G
syF/MTMCRbhqSDsGuivNO3tr1fNfHOnqGguTLsozB00XfBQxl//rm5i867VhzYWr
W75FuWnGE9YqMitC7WXqIMMU4r87TQKSh+eVlHoqVNMboPuSO1b4tBq61+jYAlZA
dJThgizHzJLBTCCnWrEZ/vsrlKTyeKQX2/Ku1DijAzLwJ6/XDy2lLF0V5AT7gMEP
ScwlnKiymfM8Lp53W3yqGgCA6Qx9N4zoXsW8WLJE7IqhvWVoKh3NX3iUs50yT1Ji
eStbkZHo4yQKbar/xKj0
=oHVE
-END PGP SIGNATURE-

[CVE-2014-1903] FreePBX 2.9 through 12 RCE

[rob . thomas]

Overview:
Unauthenticated user-level Remote Code Execution (RCE) vulnerability in 
admin/config.php, the main interface to FreePBX.  This bug was introduced in 
FreePBX 2.9, earlier versions are not affected.

Score - 8.4 
(AV:N/AC:L/Au:N/C:P/I:P/A:C/E:H/RL:OF/RC:C/CDP:MH/TD:ND/CR:L/IR:L/AR:M)

Reference to Advisory:
http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice

Reference to Bug:
http://issues.freepbx.org/browse/FREEPBX-7123

Fixed in Versions:
2.9 -- 2.9.0.14
2.10 - 2.10.1.15
2.11 - 2.11.0.23
12 - 12.0.1alpha22

Additional Information:
FreePBX contains an automatic alert service for upgrade notifications. If your 
system is set up correctly, you would have received an email alert of this 
vulnerability when it was detected and fixed.  Schmoozecom strongly urges you 
to ensure that the email alert address is correct and up to date to ensure you 
receive notifications of security issues and pending updates.

Schmoozecom and FreePBX are very proactive and responsive to security issues, 
and care deeply about the security of our software and systems. We welcome 
security related bug reports and issues, and they can be submitted via email to 
secur...@freepbx.org for instant attention.

ifstatus 1.3 released

[Rob Thomas]

Hello.

Recently, one of my articles was posted to Bugtraq.  This article
detailed a method of creating a "hidden sniffer" on a Sun box.
The article may be perused here:

http://www.cymru.com/~robt/Docs/Howto/Sun/sniffer-trick.txt

To alleviate the concerns some of you have shared, I have updated
Dave Curry's ifstatus tool so that HME and QFE interfaces in
promiscuous mode, under Solaris 8, can be detected and noted.

You will find the tool in the Tools section of my web site under
the "ifstatus" hyperlink:

http://www.cymru.com/~robt/Tools

My thanks to Dave Curry, Neil Long, and Michael Hill for all of
the assistance and input!

As an aside, I do not consider the "sniffer trick" to be a bug in
the Solaris OS.  Those who read the article, and grok STREAMS and
the Sun implementation of the IP stack, are likely to come to the
same conclusion.

Comments and feedback are always welcome!  Please send any input
directly to me, as I don't always manage to keep up with the various
list postings.

Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
cmn_err(CE_PANIC, "Out of coffee...");