FreePBX Security Advisory

This is a security notice to FreePBX users, which may include pbxinaflash, Elastix and Trixbox users. This security notice is going out to inform you of a critical security vulnerability in these systems. Please be aware that this notice does not pertain to Callcentric’s servers as this exploit is entirely user side.

We have been informed of a critical zero-day exploit for FreePBX users, which means that the threat to their PBX/network security is imminent. This exploit allows attackers to prey on weak security practices, while taking advantage of security vulnerabilities in FreePBX, to take full control of a FreePBX installation:

We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.

This is taken from the FreePBX notice posted here: http://www.freepbx.org/node/92822 . Please read this notice very carefully and take the proper steps to secure your installation.

Additionally it appears that users of FreePBX systems may be practicing lax security within their networks. Please carefully read our security advisory here: http://www.callcentric.com/support/device/security . Specifically please take note of the Network section. Ideally you should have ONLY the following ports open to the public when configuring your FreePBX machine to connect to Callcentric:

5060/SIP
10000-20000/RTP

All other ports, including HTTP/HTTPS should have strict rules limiting access either from ONLY the local network or from SPECIFIC IP addresses/networks. This can be done through your router or through the firewalls on the linux based machines:

To configure the Callcentric IPs that your network will communicate with please see the information here: http://www.callcentric.com/faq/9#254 .

For example you may configure your local SIP port on an Ubuntu machine by issuing the ufw command:

This assumes you are using port 5060. Ideally you will want to change this to a non standard port.

Enable the firewall and open port 5060

sudo ufw enable
sudo ufw insert 1 allow 5060

Allow HTTP/HTTPS traffic ONLY from the local network (192.168.1.0/24 is used here)


sudo ufw insert 1 allow 80
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 80
sudo ufw insert 1 allow 443
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 443

Allow incoming traffic to 5060 from Callcentric

sudo ufw allow proto tcp from 204.11.192.0/24 to any port 5060
sudo ufw allow proto tcp from 66.193.176.35 to any port 5060
sudo ufw allow proto tcp from 66.193.176.54 to any port 5060
sudo ufw allow proto tcp from 66.193.176.58 to any port 5060

To allow RTP traffic (Standard RTP ports for Asterisk are 10000-200000):

sudo ufw allow proto udp from 204.11.192.0/24 to any port 10000:20000
sudo ufw allow proto udp from 66.193.176.35 to any port 10000:20000
sudo ufw allow proto udp from 66.193.176.54 to any port 10000:20000
sudo ufw allow proto udp from 66.193.176.58 to any port 10000:20000

The above is an example for Ubuntu based systems and will need to be tailored for your specific environment and operating system.

Please be aware that while we provide basic advice in securing your phone system, our guides and advice are primarily related to being able to make and receive calls with our service. it is ultimately your responsibility to ensure that your network is secure.

We encourage our users to take this information seriously as it could lead to unauthorized calls being placed through your FreePBX based solution. Callcentric is not responsible for unauthorized calls placed through compromised systems on the user side. If we do see unusual traffic from your account then we will automatically block this account and will then need you to inform us of the steps you have taken to secure your network in order to restore service.