We have received reports of a new vulnerability found in FreePBX version 2.9 or newer. The vulnerability is considered critical.

This vulnerability can be exposed through HTTP interface. It is our recommendation to always restrict access to your PBX HTTP port. This current vulnerability is a reminder to again review your security preparedness. 

For those of you who use PIAF PBX, please make sure that you look at the implementation of Travelinman 3 http://nerdvittles.com/?p=815. This is one of many ways to effectively protect your PIAF PBX.  Please note that PIAF PBX uses apache authentication that SHOULD prevent the vulnerability exploited.

For those of you who do not use PIAF PBX, we provisioned your PBX with web interface closed by default. If you do not make any changes, you should be fine. If you make any changes to your Iptables, please review your Iptables again to make sure that the access to your PBX HTTP port is restricted for you only. Please follow up with the PBX distribution support for updates to fix this issue.

In any case,  it is wise to update your FreePBX Framework Module.  For further information please see http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice

To update your FreePBX modules:

  1. From your ssh console, type 
amportal a modadmin upgrade framework
amportal a r

2. You can also update through FreePBX GUI module admin secition.

Thursday, February 6, 2014

« Back