Thursday, October 2, 2014

FreePBX RCE vulnerability CVE: 2014-7235

The FreePBX team has been made aware of a security vulnerability affecting one of its modules called the Asterisk Recording Interface (ARI). While many of our users do not use this module on a day to day basis, it is almost available in all our installs. 

Important Notes

  • This vulnerability allows unauthenticated remove execution of code via the web and execute shell commands which are then limited to the rights of the apache process (in our client's cases, that would be low privilege user asterisk). However, this user has rights to manage the Asterisk, FreePBX and other web related software or services.
  • FreePBX versions affected: Any version prior to version 12 (e.g. 2.8,2.9,2.10,2.11). 
  • All OS versions
  • This is a FreePBX only bug, not Asterisk, not OS, etc..
  • It is safe to upgrade during production/live. Restarts or reboots are not required

The fixes are available since 30 Sept 2014 and users are advised to run the following commands and/or run from via the web interface or the module admin page: The following commands may require internet access from the Asterisk/FreePBX console to perform the upgrade.

(Do not copy the '#' when pasting into the putty/CLI interface, they are indicators of command line codes)

#rm -rf /var/www/html/admin/modules/admindashboard
#amportal a ma delete admindashboard

NOTE: You may NOT have the above modules installed, even if in error, ignore and proceed as below;

Now, locate and delete these files like below

#for i in `find / -name 'c2.pl' -print`; do rm -i $i; done
#for i in `find / -name 'c.sh' -print`; do rm -i $i; done

The above command will search through any of the automated hacking scripts (if exists) and ask you to remove, just hit [y]es if you find them. Otherwise, the command will return an empty output.

Finally, and most importantly, get the upgrade;
#amportal a ma upgrade fw_ari
#amportal a r

Alternatively, you can upgrade the module as show above via the FreePBX module admin module too.

Systems that expose the http/https port TCP80 or TCP443 (or FreePBX) interface via the internet is at particularly higher risk, you are advised to immediately close all access from the Internet to your FreePBX webUI and should be doing so anyway for best security practice.

For more detailed understanding, please checkout article: http://goo.gl/6JT3oT

No comments: