FreePBX - Critical Zero-Day Vulnerability
I follow NerdVittles for most Asterisk/FreePBX based needs. It's a blog that covers reviews on tablets, android, etc. but, at its core, focuses really on Asterisk phone systems.
It's great! I've been following it for the past 3-4 years now and the blog always has some cool new feature that I can add on my FreePBX machine at home (I run it on a raspberry pi) such as How to add a Security system to your Asterisk box.
Anyways, about 2 weeks ago, FreePBX.org and NerdVittles wrote articles about a huge vulnerability that affects ALL Asterisk machines running FreePBX on ALL linux flavors.
What happens?
Well, a vulnerability was found in the Asterisk ARI Framework Module that allows users to bypass any user/pass authentication which can grant a remote hacker full remote execution access through Apache.
Similarly to Heartbleed, this is a vulnerability that has been around a very long time and people just noticed it now. All versions of FreePBX prior to 12 as directly affected and FreePBX 12 is still vulnerable if you keep the legacy ARI module enabled and installed.
How to Fix It?
Sourcing information from FreePBX (http://www.freepbx.org/node/92822) - the way to patch your files are as follows:
Users prior to FreePBX 12 should update FreePBX ARI Framework to version 2.11.1.5 immediately
FreePBX 12 users should disable and uninstall the legacy FreePBX ARI Framework module and switch to the new User Control Panel, which is not to be confused with the previous ‘User Control Panel Tab’.
Read http://www.freepbx.org/node/92822 for more information on exactly what to do.
NerdVittles also has a good explanation on what exactly this is here.
Make sure your firewall has shut off external access to the web and ssh (if possible). While your server will still be "vulnerable" - if it isn't accessible externally (except for SIP or IAX2 trunks) then you should be fine.