Surviving a 0-Day: Our Battle with a FreePBX Exploit

What a shame Sangoma has fallen so far in the last 5 years. I worked with them quite a bit in the past, but before the core of the team moved to Clearly. When someone tells you who they are, you should listen. No CVE issued, deemed a 'minor' issue, nuked the bug bounty program, refused to pay out, and sparse details about what was patched (and if it was even successful).

Add in the hardcoded 'login' password bypass for authentication because they can't be arsed to implement authentication on devices THEY MAKE... what an absolute mess.

CraftComputing

Hopefully Sangoma will do the right thing and turn the project over to an organization that cares. Good luck.

jetblast

As someone who works in Digital Forensics and Incident Response, this is an awesome video! I applaud your transparency and the way you explained this attack and your response process. Good communication is the most critical part of response to any incident, and, for what it’s worth, as someone who does this day in and out, you did great here. Keep it up!

IntrepidTechie

Thank you Chris, you do the FreePBX community a service, I really hope some minds at Sangoma heeds these words. FREE THE FROG.

TaylorDrue

Thank you for not only outlining the problem, but offering a solution. You have demonstrated in your videos that you have a lot of contacts in the VoIP and open source community that you could coordinate this project and not let it die.

extramiletechnologyservices

I would love to see a video from you showing how you use and setup Grafana and Zabbix to do this type of monitoring. Thanks for the detailed video of how this hack went down.

techwrightauto

Good Work Chris! This was well presented. I actually found that exploit video back in September and had looked into that. I had locked my edge firewall down so tight that I was having trouble with my Trunking Service. We know who they are because you love them. So I had to take a different approach. It didn't take much but let me know if you want some info on how we stopped the SIP attack that happened with us almost immediately. If you're interested I'll try and send you an email about it. I have been trying to spread as much information about it as I can and even provided some instructions to our trunking service for suggestions to their customers on how to better secure their PBX internet connections. Thanks for removing my previous comment....after posting it I realized that there might have been a little too much information in there. Keep up the hard work! The information you provide is worth gold.

JonGeorge-jh

10:55 Just a note here: The User-Agent header is part of HTTP, not something like a TCP packet header.

jckf

Sangoma has been having issues with their Fax Stations. This issue causes the fax line to silently hangup and it acting like it was it was making the faxes successful but very much wasn’t. We got with Sangoma a few times with many examples and they did not believe us. We had all of medical clients effected. it took our owner threatening them with dropping them for fax and then they acknowledged they knew their was an issue.

Wesrl

Good video, TY. It's clear that unless something changes, your only option is to walk away from the product. Sangoma will of course say that you can just move to a paid product, but all the rest of us know, that most of the users utilising the free version, are not "cheap" enterprises/businesses, but rather small entities with no or little money, and few options, so they can not do that.

mibian

How are you gonna leave us on this cliffhanger for 14 more hours!? All jokes aside, hope everything went okay. I manage a FreePBX server so I’m a little nervous now to find out more.

blueline

I would love a video on how you are monitoring the servers. I'm a big Grafana and Zabbix fan so would like to see what you are monitoring, including what you monitored to catch the hacks.

alacava

Since FreePBX is actually competitive to their other products and services that create revenue for them, what Sangoma is doing makes perfect sense; they are slowly but surely killing off the competition...

auxmobile

I have long wanted to setup a PBX system, I have watched all your videos on it and am pretty convinced FreePBX is the way to go I love open source software and now I might finally have a reason to set one up. I really don't want to see FreePBX die... I guess it can always be forked

mathesonstep

You are absolutely right!!! After more than 20 PBXact ot FreePBX projects We at my company realize that sangona don't want frewPBX to grow up!!! Sad, but there are other projects growing fast!!!

giancarlosrm

Figuring out the chronology of a breach is a real challenge sometimes. Sometimes impossible tbh. And once people start to think they'll never figure it out, they no longer do their best work.

But without knowing the chronology you can't always identify the hole you need to plug

christopherjackson

The R2D2 made from the UDM Dream Router is pure genius.

XSpiritvSX

you are a gamechanger my friend. good job

ricardomalla

thank you!, but also for offering a solution. You have shown in your videos that you have many contacts in the VoIP community

redesred

Been on FreePBX since 2018; 2 installs, 1 being v14 and the second being v15. Can't believe it's already been 4 years since we had a proper full release and just makes me nervous about the future of my company's phone system. We came from a 1997 NEC system, so even if we keep this one going for 30 years, we'll live, but jeez.... Have you done any looking into the new UniFi Talk service/system? I wonder if that's any good...

mandurphy