4 minutes reading time (805 words)

FreePBX as a route to intrusion and data breach

FreePBX_Logo

The History

FreePBX has been around for decades, and was one of the three popular Asterisk GUI's. Asterisk itself has been around longer, and we've been providing and supporting it since version 1.6. That aside, FreePBX has been constantly developed and enhanced with functions and features providing a framework to build an asterisk dial plan configuration with a nice GUI interface. FreePBX provides include files that can be leveraged to add custom dial plans whilst maintaining general management via the GUI. 

Up until 2015, FreePBX was in a constant development cycle providing regular updates, fixes and features primarily provided by Schmooze, a wisconsin based developer who provided commercial support and some commercial modules to monetise the operation. These commercial modules could be purchased with a 25 year license (mostly) and for many this was a great way to get commercial features for a one-off price. 

In January 2015, Sangoma acquired Schmooze and from this point onwards, development slowed, updates slowed and commercially licensed modules stopped updating. Today, development on FreePBX seems to have completely stopped, and even the blog postings on freepbx.org have stopped. Sangoma are still selling the same modules but this time for an annual charge and of course selling 'commercial' support.

The Breach

Back to the title, We were investigating a data breach at a company (not an existing customer) and working backwards from the epicentre, which was their MySQL server back to the source. We had already identified that the MySQL Server login had been 'discovered' and leveraged to select data from a range of tables from the FreePBX box. We removed the FreePBX Box, imaged it and then returned it. Analysing the image we could see some activity with the mysql -u command under the root login accessing the company's remote MySQL Server. 

I won't bore you with the nitty gritty of the FreePBX box compromise, but let's just say that it was running PHP 5 on Centos 6.5 as most of them are, because the 'update' feature won't upgrade FreePBX between versions or upgrade PHP. Operating system updates won't upgrade PHP past its current major version meaning any PHP upgrade has to be done manually, and of course you can't upgrade Centos between major versions. These shortcomings mean the majority of unsupported FreePBX systems are vulnerable and an easy target. Combine this with the relatively complex setup of NATted SIP or IAX and this promotes the bad practice of putting FreePBX on the dirty side of firewalls (if there is even a firewall). 

Once the FreePBX linux box was compromised, there were numerous opportunities to pillage the configuration for upstream SIP credentials (stored in the clear) as well as voicemail passwords. The hacker had created an inbound route on the switch directing a DDI call to a DISA endpoint, allowing them complete system access. There was also evidence of numerous reconfigurations of inbound routes for unknown reasons. I fully suspected the hacker to create an extension, pretend to be 'IT' and then leverage credentials out of the staff, but instead they simply dumped the asterisk database and found the MySQL Server credentials stored IN THE CLEAR in the superfectaconfig table. 

The Risk

This tendency to store credentials in the clear, combined with the awkward upgrade routes and general lack of ongoing support makes FreePBX servers a target for intrusion, and an easy escalation path to the rest of the network. VoIP servers are often overlooked by risk managers as they are thought to be 'isolated' from the things that matter, but as we can see here, a simple CID Lookup provided everything needed to compromise the main database server and export it all. I know some may comment that the MySQL login should have been restricted to a certain table, but in reality that just doesn't happen that often. 

I'm not sure what the future holds for FreePBX since development has ceased in the hands of Sangoma. We could see a community supported fork much in the ways of MariaDB, or Sangoma could re-ignite development but either way having unsupported FreePBX systems out there is a clear issue that needs attention. 

IF YOU ARE RUNNING FreePBX and don't have an active support agreement then get one and ensure...

  • It's running the latest version of FreePBX, which at time of writing was v15. 
  • It's running on Centos 7 or later
  • It's behind a firewall with SIP/IAX NAT'ed & firewalld is setup and configured
  • Apache is restricted to the LAN
  • Do NOT give CallerID Superfecta or CIDLookup credentials to your database server. If you MUST use caller ID lookup then push a limited table of data to the FreePBX server's MariaDB database and query it there. 

If you found this interesting, comment and/or Like. If you need help and advice on your FreePBX server then use the forums for free community assistance or the HelpDesk for priority support. 

Torrent Sites - The History, Mistakes and Failures
 

Comments 5

Guest - Brian L on Thursday, 05 September 2019 00:21

"In January 2015, Sangoma acquired Schmooze and from this point onwards, development slowed, updates slowed and commercially licensed modules stopped updating. Today, development on FreePBX seems to have completely stopped, and even the blog postings on freepbx.org have stopped. Sangoma are still selling the same modules but this time for an annual charge and of course selling 'commercial' support. We provide commercial support for FreePBX too, but we do it cheaper and we don't make you buy 'credits' beforehand. "

There are so many inaccuracies in this paragraph alone-- this article shouldn't have made it to published state. Development is ongoing, I see it every day. Did you even care to look at the Sangoma Issue Tracker? The FreePBX community forums? Could you even be bothered to ask anyone? This is clickbait at best and outright lies at worst.

"In January 2015, Sangoma acquired Schmooze and from this point onwards, development slowed, updates slowed and commercially licensed modules stopped updating. Today, development on FreePBX seems to have completely stopped, and even the blog postings on freepbx.org have stopped. Sangoma are still selling the same modules but this time for an annual charge and of course selling 'commercial' support. We provide commercial support for FreePBX too, but we do it cheaper and we don't make you buy 'credits' beforehand. " There are so many inaccuracies in this paragraph alone-- this article shouldn't have made it to published state. Development is ongoing, I see it every day. Did you even care to look at the Sangoma Issue Tracker? The FreePBX community forums? Could you even be bothered to ask anyone? This is clickbait at best and outright lies at worst.
Technical Support Team on Thursday, 05 September 2019 09:04

Thank you Brian L for your thoughts. I didn't write the article but I did see a draft about a week ago and re-reading it today I think its fairly accurate, but I will address your comment directly.

FreePBX DEVELOPMENT has stagnated in the hands of Sangoma, and I see this every day, as Jon said there hasn't been a new module or note worthy feature for a long time and on top of that we're seeing historically functional modules being no longer available online and available to new systems. This is no surprise to anyone, its just business. With Sangoma now selling SwitchVOX why on earth would they put time and money into an open source competitor?

I did take a look at the issue tracker, and it shows 804 open issues, so thank you for highlighting that for us.

The Forums are, as Jon said full of people trying to get help for issues. We support just under 600 switches on maintenance, and most of these were migrated to FreePBX in the past from elastix, fonality, etc but for anyone who doesn't use FreePBX internally we're pulling it out and rebuilding the dial plans manually simply to reduce risk, increase performance and improve security. The WHOLE POINT of this article was to highlight an issue we recently discovered in an audit and to make people aware so they can secure their box.

I get that you are obviously a FreePBX fan and that's great but storing database passwords in the clear is unforgivable in the 21st Century!

Thank you Brian L for your thoughts. I didn't write the article but I did see a draft about a week ago and re-reading it today I think its fairly accurate, but I will address your comment directly. FreePBX DEVELOPMENT has stagnated in the hands of Sangoma, and I see this every day, as Jon said there hasn't been a new module or note worthy feature for a long time and on top of that we're seeing historically functional modules being no longer available online and available to new systems. This is no surprise to anyone, its just business. With Sangoma now selling SwitchVOX why on earth would they put time and money into an open source competitor? I did take a look at the issue tracker, and it shows 804 open issues, so thank you for highlighting that for us. The Forums are, as Jon said full of people trying to get help for issues. We support just under 600 switches on maintenance, and most of these were migrated to FreePBX in the past from elastix, fonality, etc but for anyone who doesn't use FreePBX internally we're pulling it out and rebuilding the dial plans manually simply to reduce risk, increase performance and improve security. The WHOLE POINT of this article was to highlight an issue we recently discovered in an audit and to make people aware so they can secure their box. I get that you are obviously a FreePBX fan and that's great but storing database passwords in the clear is unforgivable in the 21st Century!
Guest - Jon Harman on Thursday, 05 September 2019 08:13

That may be your opinion but as a FreePBX user I think its fairly accurate. I cannot remember the last time we had a new module or feature worth mentioning and the community forums mostly people with issues trying to get some help. I like FreePBX and its clunky 90's interface but what I didn't know and what was highlighted in this article was that it stores important passwords in clear text!! I know someone is going to comment that its open source and if I'm not happy then go fix it myself but I am not a programmer. I found the article interesting and it made me think about securing the server which I'm doing today.

That may be your opinion but as a FreePBX user I think its fairly accurate. I cannot remember the last time we had a new module or feature worth mentioning and the community forums mostly people with issues trying to get some help. I like FreePBX and its clunky 90's interface but what I didn't know and what was highlighted in this article was that it stores important passwords in clear text!! I know someone is going to comment that its open source and if I'm not happy then go fix it myself but I am not a programmer. I found the article interesting and it made me think about securing the server which I'm doing today.
Guest - sandy on Saturday, 07 September 2019 09:51

I think the market is consolidating and with commerical options like 3cx offering 25 user foc and sangoma actively promoting switchvox to freepbx installs its about done. we had freepbx for years but migrated to 3cx about a year ago and are very happy with it. There r other open pbx's up and coming like fusion but i think the market will move small business to free or budget commercial systems and open pbxs will be left for home users etc.

for storing passwords in the open thats really bad and needs to be highlight so people can remove them and make the box safe.

I think the market is consolidating and with commerical options like 3cx offering 25 user foc and sangoma actively promoting switchvox to freepbx installs its about done. we had freepbx for years but migrated to 3cx about a year ago and are very happy with it. There r other open pbx's up and coming like fusion but i think the market will move small business to free or budget commercial systems and open pbxs will be left for home users etc. for storing passwords in the open thats really bad and needs to be highlight so people can remove them and make the box safe.
Guest - Akmad al-kitat on Friday, 20 September 2019 20:47

I did not see 3cx was free for 25 users! Thank you sandy for pointing that to me!

I did not see 3cx was free for 25 users! Thank you sandy for pointing that to me!
default_blogger GEN - Blog - FreePBX as a route to intrusion and data breach
Already Registered? Login Here
Guest
Saturday, 21 September 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

blog.html?task=captcha GEN - Blog - FreePBX as a route to intrusion and data breach