Vulnurabilities in FusionPBX

Thread:
https://www.dslreports.com/forum/r32414922-Vulnerabilities-in-FusionPBX

Original Thread:
https://securityboulevard.com/2019/06/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx/

CVE-2019-11408: Dustin Cobb – XSS in Operator Panel
CVE-2019-11409: Dustin Cobb – Command Injection in Operator Panel
CVE-2019-11410: Dustin Cobb – Command Injection in Backup Module
CVE-2019-11407: Dustin Cobb – Information disclosure through debug parameter


What I find disturbing is this....

04/04/19 – Vulnerabilities disclosed to FusionPBX
04/05/19 – Developer pushes preliminary patches to the project’s Github
04/07/19 – Attempt to contact developer to discuss coordinated disclosure
04/09/19 – Developer responds and states that they do not intend to publish advisory or otherwise disclose the existence of the vulnerabilities
04/22/19 – CVE IDs obtained and shared with developer, 2nd request for coordination of public disclosure, no response received
05/22/19 – Aon provides updated patch for CVE-2019-11409 in a pull request
06/02/19 – Pull request accepted
06/06/19 – Aon public disclosure

WTF?
 

DigitalDaz

Administrator
Staff member
I suppose even more worrying is the fact that an iptables rule has JUST been reinstated to catch this exploit attempt. We already know this is patched as confirmed in the CVE. The reintroduction of the iptables rules may well imply that there are other places where this attack could be effective.
 

markjcrane

Active Member
Staff member
They offered for me to write the CVE or that they would write it. They offered and so I took them up on that offer. You know delegating work. That allowed me spend more time on improvements to the security for the entire project.

DigitalDaz you had something do with that rule being removed or did you forget that? But this sudden release of the vulnerability ahead of schedule made it apparent that the band aid is still needed in particular for those on 4.4 branch and older versions of FusionPBX. So for that reason it was re-applied. It was never removed for people that installed while it was there.

Also I was going to push more changes to 4.4 before releasing an announcement to spread the word and make it more likely that more hackers would become aware and start exploiting people on 4.4.

If you are on LATEST master branch you are safe from these released vulnerabilities. If you haven't followed my constant advice to upgrade to latest Master branch at the moment you are not completely safe. If you are on an old version or 4.4 and do not have time to upgrade or do not want to then at least do this.

rm -R /var/www/fusionpbx/app/operator_panel

Since the code is open source everyone here also had that opportunity. No skill coding then you could have hired someone to review it or ask a friend with enough skills to do so.

While some accuse us of being neglectful and writing up complaints we are working on improving the code of the entire project on a nearly daily basis. We have had some people submit pull requests, occasional bug fixes and some have reviewed security. No single person will catch all security problems. So best security requires resources and multiple developers and security consultants. It takes either a lot of volunteers and ones that are willing to do mundane tasks. Or it takes a lot of money to pay people to do this.

This highlights the reason why I started the Continuing Education and later the FusionPBX membership and put time into it. I have pleaded for more support but I don't think many of you realize how much it is needed or the level of work involved to build and maintain this project. Things are headed in a better direction the membership concept is working we hired another support person who is also able to help with security. We will succeed unless negativity prevails.

Choose whether you will be part of helping this project get better and then find a way to help.
 
Last edited:
Hi Markjcane. The product you give to the community is priceless. I have have been a long time user and love this product. I have submitted patches (long ago) and have more to improve the Fanvil provisioning once i'm happy with our internal templates. People need to remember the risks and benefits of using opensource products.

I'm not sure if people remember the openSSL bug that existed for 10 years. Its a open source product and anyone could have patched it.

Keep up the good work. We will be signing up as a member for fusionpbx to get support and keep the product going.
 

markjcrane

Active Member
Staff member
Update for FusionPBX 4.4
On monday late night. I moved more code changes to 4.4. Ones that were not in the announcement.
Currently emptied operator_panel/exec.php to protect people that upgraded to latest FusionPBX 4.4.
This means you don't have to remove the operator panel only update it. But if you use it actions are currently disabled.
Viewing it is working.
Added a twitter announcement where I normally have posted public news https://twitter.com/fusionpbx
In the future will use the FusionPBX website more for news.
 

markjcrane

Active Member
Staff member
CVE-2019-11410: Dustin Cobb – Command Injection in Backup Module
This backup module is in app/backup it is not used by many people available only to users in the superadmin group. The patched version from master branch has just been moved to fusionpbx-apps/backup. It has been removed from 4.4 and Master branch. This is not a new idea to move it been considering it for a year or two.

The preferred method for backup is the fusionpbx-backup shell script found here https://github.com/fusionpbx/fusionpbx-install.sh/tree/master/debian/resources/backup
 

markjcrane

Active Member
Staff member
Spent lots of time in the last week working more on tightening up security. Over the weekend put in about 20 hours looking through code and strengthening it on both 4.4 branch and Master. Master branch is ahead in security because some of the changes in Master aren't compatible with 4.4. Main thing in this regard is the database class with parameterized queries. If you care about security then you should consider upgrading and staying up to date with latest FusionPBX.
 

markjcrane

Active Member
Staff member
A new install will now default to FusionPBX Master and FreeSWITCH 1.8.4.

On a side note the class just helped us find some bugs and we worked immediately after to fix them. Also fixed a few this morning reported by FusionPBX members.
 
Hi,
it did install 1.8.4 but now i cannot install the Nibblebill module, apt-get install freeswitch-mod-nibblebill is giving me "Unable to locate package freeswitch-mod-nibblebill" and it is not even going from source,
 

DigitalDaz

Administrator
Staff member
Tuly, the fusionpbx build should rightly not install nibblebill it has nothing to do with fusionpbx and we certainly don't want to be compiling everything. You will need to edit configs and build it manually.

Alternatively, you can install my packages, mod_nibblebill is in there but again you would have to pull it in manually with an apt statement. You'll find instructions in this thread: https://www.pbxforums.com/threads/freeswitch-1-8-5-nat-bug.3069/
 

markjcrane

Active Member
Staff member
**Security Update**
If we were to graph the work on security over the past year you would see that it has been going up and the last 4 months it has gone up dramatically. The last two weeks it has been accelerated even more. There is someone submitting security related tickets to us and we are fixing them as fast as we can. They are fixed on master branch and then most of these have been back ported to 4.4 branch. Some of this work has caused some bugs we are working quickly to resolve these issues as they are reported in www.fusionpbx.com. The current batch of vulnerabilities will be submitted as CVEs by the person that found them so that person gets credit for their work in around 30 days from the time they were fixed. Please find time to upgrade to latest 4.4 or master branch. Right now suggest upgrading regularly while we get security tightened down further.

My apologies to everyone for the security problems. My desire making FusionPBX was to make software that I was interested in and an attempt to do my part in making the world a better place. Vulnerabilities threaten that life goal. So I promise we are taking the vulnerabilities seriously and will keep working on them as fast as we can. Thanks to FusionPBX members we have more resources than we have ever had and we are progressing more rapidly than what was possible last year and any year before. Thanks to all those helping us to do better, those that have contributed and to those submitting security tickets to us.
 
Last edited: