Servers running Digium Phones VoiP software are getting backdoored
'Servers running the open source Asterisk communication software for Digium VoiP services are under attack by hackers who are managing to commandeer the machines to install web shell interfaces that give the attackers covert control, researchers have reported. Researchers from security firm Palo Alto Networks said they suspect the hackers are gaining access to the on-premises servers by exploiting CVE-2021-45461. The critical remote code-execution flaw was discovered as a zero-day vulnerability late last year, when it was being exploited to execute malicious code on servers running fully updated versions of Rest Phone Apps, aka restapps, which is a VoiP package sold by a company called Sangoma. The vulnerability resides in FreePBX, the world's most widely used open source software for Internet-based Private Branch Exchange systems, which enable internal and external communications in organizations' private internal telephone networks. CVE-2021-45461 carries a severity rating of 9.8 out of 10 and allows hackers to execute malicious code that takes complete control of servers.' -- source: https://arstechnica.com/information-technology/2022/07/servers-running-digiu... Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 (office) +64 (7) 577-5304 (home office) https://www.cs.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Tue, 19 Jul 2022 09:57:36 +1200, Peter Reutemann quoted:
'The vulnerability resides in FreePBX, the world's most widely used open source software for Internet-based Private Branch Exchange systems, which enable internal and external communications in organizations' private internal telephone networks.'
This can all get quite confusing to disentangle. The article mentions “Elastix”, which according to the linked page <https://www.voip-info.org/elastix/>, is ... an appliance software that integrates the best tools available for Asterisk-based PBXs into a single, easy-to-use interface. It also adds its own set of utilities and allows for the creation of third-party modules to make it the best software package available for open source telephony. This is built on FreePBX <https://www.voip-info.org/freepbx/>, which is described as a “web application”. Underlying all of this is Asterisk <https://www.asterisk.org/>, which could be described as a highly versatile “telephony engine”. The above FreePBX page goes on to say: If you’ve looked into Asterisk, you know that it doesn’t come with any “built-in” programming. You can’t plug a phone into it and make it work without editing configuration files, writing dialplans, and various messing about. FreePBX simplifies this by giving you pre-programmed functionality accessible by a user-friendly web interface that allows you to have a fully functional PBX pretty much straight away with no programming required. I haven’t used FreePBX, but I have set up and managed Asterisk installations. So it seems the security issue is in the FreePBX layer, not in Asterisk itself.
participants (2)
-
Lawrence D'Oliveiro -
Peter Reutemann