FreePBX 13 fully Patched System can be compromised via PSTN
The title sounds scary but its the truth and can be easily tested on your FreePBX Install (so far tested on FreePBX Distro with Asterisk 13 and the latest FreePBX 13.
A Haker dials to a PSTN Gateway (PRI or Analog) into a FreePBX system until an extension picks up (IVR, Voicemail) then sends the the code *2 via DTMF.
Freepbx is listening on both call legs for DTMF signal, it receives a *2 which means internal transsfer. This makes FreePBX to execute the tdial command with the fraudulent number via the next outbound route.
First and foremost FreePBX should not be allowed to execute any DTMF from an External source., but sadly this works.
Luckily this issue is fixed rather easily:
Goto Admin -> Feature Codes and Disable the Internal Transfer code *2 as well ##, i did not test if call forwarding onto an extension can be forced from external like *79.The possibility that they can add any number to forward the call is too scary, so better disable them too until a proper fix has been provided.
Tips to secure your PBX (this is recommended on all Asterisk based PBX as well others):
- Make sure your Extensions are in the right Context and that they are only allowed to dial based on the rights set (eg: Local, National International)
- Add a Pin Code for International Calls
- Create a Trunk called BANNED with the destination Hangup Call, then Create an Outbound Route called BARRED NUMBERS and set it at the Top of the list as first route and make sure it cant be moved. As Destination for this Route choose the BANNED trunk, then add the prefixes of all countries you wish to prohibit access to. You can download an example here –> (please make sure to change the outbound route number to whatever your system is set too.)
- Add any unused ior Vacant Extensions into a separate context that allows internal calls only
- Set max call duration for international calls
- Limit your outbound channels per extensions and per trunk
- Set complicated passwords on all extensions that have at least 25 or more characters.
- change said passwords at least Yearly, change the outbound dial pin codes monthly.
- under no circumstances allow access to port 22 from internet to your PBX
- set “alwaysauthreject=yes” in sip.conf to prevent brute force attacks
- implement a strict iptables policy on your gateway
- add fail2ban script in addition to iptables / add a script to check if iptables is up
- add permit/deny IP address entries to each SIP peer description
- always access your system using https
- explicitly block countries nobody in your organization calls
- Monitor your System!!!
this is by all means not a complete list but one that prevents most fraud cases due to such limited access.
UPDATE (19/04/2016): FreePBX released a FIX on this issue
FreePBX released a FIX for Freepbx 13 to take care of this issues (currently under the edge track – you need to specifically enable this track to get access to the fix as it can be a feww days before it get released into the Stable track and for everyone) the edge track has been released end of last month.
more info on the edge track here: https://www.freepbx.org/introducing-the-edge-repository/
Researching this issue i stumbled over this entry in the community forum from a few days ago: http://community.freepbx.org/t/hacker-makes-international-calls-through-my-freepbx-ivr/34334/48 this entry talks a bit more in details about the issue and what actually is causing it.
This issue has been marked critical and must be applied urgently to all FREEPBX Systems, here the issue / bug report: http://issues.freepbx.org/browse/FREEPBX-12058
This Fix will add this setting into your Advanced Settings Tab:
in case you have an older version of freepbx you can fix it manually by removing the T option form the outbound route