On Tue, 19 Jul 2022 09:57:36 +1200, Peter Reutemann quoted:
'The vulnerability resides in FreePBX, the world's most widely used open source software for Internet-based Private Branch Exchange systems, which enable internal and external communications in organizations' private internal telephone networks.'
This can all get quite confusing to disentangle. The article mentions “Elastix”, which according to the linked page <https://www.voip-info.org/elastix/>, is ... an appliance software that integrates the best tools available for Asterisk-based PBXs into a single, easy-to-use interface. It also adds its own set of utilities and allows for the creation of third-party modules to make it the best software package available for open source telephony. This is built on FreePBX <https://www.voip-info.org/freepbx/>, which is described as a “web application”. Underlying all of this is Asterisk <https://www.asterisk.org/>, which could be described as a highly versatile “telephony engine”. The above FreePBX page goes on to say: If you’ve looked into Asterisk, you know that it doesn’t come with any “built-in” programming. You can’t plug a phone into it and make it work without editing configuration files, writing dialplans, and various messing about. FreePBX simplifies this by giving you pre-programmed functionality accessible by a user-friendly web interface that allows you to have a fully functional PBX pretty much straight away with no programming required. I haven’t used FreePBX, but I have set up and managed Asterisk installations. So it seems the security issue is in the FreePBX layer, not in Asterisk itself.