If you have an asterisk PBX phone server running on an Internet routable IP, using the freePBX web GUI, and don’t have one of the latest releases it may be vulnerable.
Its very common to have freePBX on a public IP, usually if you have multiple locations using the same freePBX server.
Almost no exists information about this vulnerability, and as of right now its not listed on CVE details:
To test, visit this URL in your browser:
Switch yourip with your IP, and admin with your admin directory.
A 404 means you are protected, if you get a nothing, view source, or download a copy of that page with wget or curl to ensure its blank.
If there is a bunch of code, or entries, then you have a version that is vulnerable. If you look for ARI_ADMIN_USERNAME and ARI_ADMIN_PASSWORD that should match the initial login you had for the management interface.
This will allow anyone to log in, then they can do anything they want, ex view your sip extensions, view the password in plain text, and then connect to your phone server and run up your phone bill.
Typically a hacker will enable long distance or out of the country calling and or 900/976 numbers, even if you had them blocked in your outbound routes, allowing them to possibly make your responsible for thousands of dollars in phone calls.
How to block this you wonder? Read below.
#1 Upgrade freePBX to the latest version, and the easiest way to do that is by following the instructions here:
Then harden your server
#2 limit access to your phone server to only what IPs absolutely need to access it, if you have phones on dynamic IPs, such as typical DHCP off of an ISP cable or DSL modem, this may not be practical and you may want to allow a block of IPs, or limit it by country.
Most hackers are out of the country, so this will keep a lot of them from finding your server in the first place, now it is possible for them to use a proxy, but a lot of times they won’t take that extra step.
You can restrict IPs with IP tables for Linux, it helps if you use a Firewall manager such as the APF firewall available here:
#3 You can also restrict access to the admin interface to a a single or few IPs by editing httpd.conf
Look for the code below you will want to add an allow line(s) for the IP(s) you want to access the web interface from:
Options Indexes FollowSymLinks
# Controls who can get stuff from this server.
allow from 184.108.40.206
deny from all
#4 Shut off apache, the web interface isn’t needed to make or receive phone calls, so you can leave it off and only turn it on when you need to work in it:
service httpd off
#5 Switch the httpd port, a port scanner will get around this, but this makes them go through yet one more step. You would do that with this line in httpd.conf
Then restart apache.
#6 Test everything to verify you can access the server/web interface and other IPs can’t
#7 Keep an eye on your box, look at the asterisk log to see what extensions, and what IPs are registering:
cat /var/log/asterisk/full |grep Reg
View your call logs, make sure there aren’t any unusually high number of calls, and if you have international or 900/976 numbers enabled by your provider look at the logs extra carefully for those.
Hope this helps you keep your FreePBX system safe and secure!