Security Threat Discovered - UPDATED

Affected Products

All Xorcom IP-PBX models (XR1nnn, XR2nnn, XR3nnn, XE2nnn, XE3nnn) running Elastix 1.x

Problem

It recently came to our attention that it is possible to login to the Elastix server unembedded FreePBX Web interface (http://address/admin) with user name 'asteriskuser' and password 'eLaStIx.asteriskuser.2oo7'. The user name and password are the same user name and password used by FreePBX to access the 'asterisk' MySQL database. They are defined in the parameters AMPDBUSER and AMPDBPASS in the /etc/amportal.conf file.

Note: The option to log in with AMPDBUSER and AMPDBPASS is a standard feature of FreePBX. While the original Elastix FreePBX package contains a patch to close this 'back door', the FreePBX modules update operation overwrites the patch and the back door is re-opened.

The problem is that most Elastix users do not change the default password, and some immoral people have discovered this security breach and can use it to make calls at someone else's expense. The procedure of changing password is a little bit complicated. It is not sufficient to define a new password in the /etc/amportal.conf file, the MySQL settings must also be changed.

Important Update

Unfortunately, the solution we originally proposed in the Xorcom Technical Support Alert 'Security Threat Discovered' that was published on April 14 disables Asterisk CDR recording to the MySQL 'asteriskcdrdb' database. In addition, the Elastix Graphic Report functionality is adversely affected. Therefore, we now propose a different solution for the problem. This solution restores the original password for 'asteriskuser' (eLaStIx.asteriskuser.2oo7) and re-applies the original Elastix patch for the /var/www/html/admin/header_auth.php file that prevents the fall back login option with AMPDBUSER/AMPDBPASS to the unembedded FreePBX Web interface.

Updated Solution

Note: This script is valid for 1.5.n-1.6.n versions of Elastix.

Users who have changed the password as per the original 'Security Threat Discovered' alert* as well as users who have not should run the updated script as follows:

cd /tmp

wget http://updates.xorcom.com/~xorcom/xr-addons-2.00-0.noarch.rpm

rpm -Uvh xr-addons-2.00-0.noarch.rpm

ampasswd

*Users who have changed the password as per the original 'Security Threat Discovered' alert must restart Asterisk after running this script.

Note About Possible "Fail" Message

If you receive the following error message after running ampasswd:
1 out of 1 hunk FAILED -- saving rejects to file /var/www/html/admin/header_auth.php.rej

Ignore it!!

It means that the Elastix original header_auth.php file was not changed as result of unembedded FreePBX modules upgrade.

But aren't you glad you verified that your server is protected?!

Last Updated ( Wednesday, 22 Aug 2012 )
Quick Contact
Invalid Input
Invalid Input
Invalid Input
Invalid Input
Subscribe to newsletter Invalid Input
Enter this code in the field below:*
Invalid Input