FreePBX 13 fully Patched System can be compromised via PSTN

The title sounds scary but its the truth and can be easily tested on your FreePBX Install (so far tested on FreePBX Distro with Asterisk 13 and the latest FreePBX 13.

The Case:

A Haker dials to a PSTN Gateway (PRI or Analog) into a FreePBX system until an extension picks up (IVR, Voicemail) then sends the the code *2 via DTMF.

Freepbx is listening on both call legs for DTMF signal, it receives a *2 which means internal transsfer. This makes FreePBX to execute the tdial command with the fraudulent number via the next outbound route.

First and foremost FreePBX should not be allowed to execute any DTMF from an External source., but sadly this works.

Luckily this issue is fixed rather easily:

Goto Admin -> Feature Codes and Disable the Internal Transfer code *2 as well ##, i did not test if call forwarding onto an extension can be forced from external like *79.The possibility that they can add any number to forward the call is too scary, so better disable them too until a proper fix has been provided.

Tips to secure your PBX  (this is recommended on all Asterisk based PBX as well others):

  1. Make sure your Extensions are in the right Context and that they are only allowed to dial based on the rights set (eg: Local, National International)
  2. Add a Pin Code for International Calls
  3. Create a Trunk called BANNED with the destination Hangup Call, then Create an Outbound Route called BARRED NUMBERS and set it at the Top of the list as first route and make sure it cant be moved. As Destination for this Route choose the BANNED trunk, then add the prefixes of all countries you wish to prohibit access to. You can download an example here –> (please make sure to change the outbound route number to whatever your system is set too.)
  4. Add any unused ior Vacant Extensions into a separate context that allows internal calls only
  5. Set max call duration for international calls
  6. Limit your outbound channels per extensions and per trunk
  7. Set complicated passwords on all extensions that have at least 25 or more characters.
  8. change said passwords at least Yearly, change the outbound dial pin codes monthly.
  9. under no circumstances allow access to port 22 from internet to your PBX
  10. set “alwaysauthreject=yes” in sip.conf to prevent brute force attacks
  11. implement a strict iptables policy on your gateway
  12. add fail2ban script in addition to iptables / add a script to check if iptables is up
  13. add permit/deny IP address entries to each SIP peer description
  14. always access your system using https
  15. explicitly block countries nobody in your organization calls
  16. Monitor your System!!!

this is by all means not a complete list but one that prevents most fraud cases due to such limited access.

 

DISCLAIMER:

All content provided on this “dottoremoe.com” blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site.
The owner of “dottoremoe.com” will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

UPDATE (19/04/2016): FreePBX released a FIX on this issue

FreePBX released a FIX for Freepbx 13 to take care of this issues (currently under the edge track – you need to specifically enable this track to get access to the fix as it can be a feww days before it get released into the Stable track and for everyone) the edge track has been released end of last month.

more info on the edge track here: https://www.freepbx.org/introducing-the-edge-repository/

Researching this issue i stumbled over this entry in the community forum from a few days ago: http://community.freepbx.org/t/hacker-makes-international-calls-through-my-freepbx-ivr/34334/48 this entry talks a bit more in details about the issue and what actually is causing it.

This issue has been marked critical and must be applied urgently to all FREEPBX Systems, here the issue / bug report: http://issues.freepbx.org/browse/FREEPBX-12058

This Fix will add this setting into your Advanced Settings Tab:

FreePBX fix for Fraud calls issue

in case you have an older version of freepbx you can fix it manually by removing the T option form the outbound route

FreePBX issues T dial out

cheers

the doc.

DOWNLOAD BARRED PREFIX LIST

DOWNLOAD