Security Issue
Security Issue
(OP)
Incoming external caller can dial *2(in call attended transfer)or ##(in call blind transfer) plus any allowed number and be transferred to that number !
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS Contact USThanks. We have received your request and will respond promptly. Come Join Us!Are you a
Computer / IT professional? Join Tek-Tips Forums!
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail. Posting Guidelines |
|
Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.
Here's Why Members Love Tek-Tips Forums:
Register now while it's still free!
Already a member? Close this window and log in.
RE: Security Issue
By default these allow transfers and are enabled. Adjust them if you are concerned about an external caller being able to transfer a call.
RE: Security Issue
RE: Security Issue
http://issues.freepbx.org/browse/FREEPBX-12058
RE: Security Issue
RE: Security Issue
RE: Security Issue
RE: Security Issue
CODE -->
RE: Security Issue
- Navigate to PBX - PBX Configuration - Advanced Settings
- Locate the section "Dialplan and Operational" on that page
- Change the value of "Asterisk Dial Options" from the default "Ttr" to "tr" (i.e., remove the capital T)
- Press the checkmark beside "Asterisk Dial Options" to save the modification of this option
- Change the value of "Asterisk Outbound Trunk Dial Options" from the default "Tt" to "" (i.e., remove the Tt)
- Press the checkmark beside "Asterisk Outbound Trunk Dial Options" to save the modification of this option
- Press the pink bar Apply Config at the top of the page to apply these changes
Now, making these changes is NOT a solution/fix. The first change eliminates the security problem, but it also changes the behavior of the system. With this change, users won't be able to use transfer features in various situations. The Find Me/Follow Me feature can also be impacted. I can ensure you that many people won't like this change. The second change is for outbound calls - it is significantly less likely that someone would exploit that. I would recommend only the first change as a workaround until a real fix is available. A proper solution is more complicated...RE: Security Issue
RE: Security Issue
RE: Security Issue
RE: Security Issue
It took a bit longer to do it correctly, but we feel good about the work we have done to address this.
We have added a TRUE/FALSE control on the Advanced Settings page of the gui under the Dialplan and Operational section. The field is labeled: "Disallow Transfers for Inbound Callers" and it defaults to TRUE, which prevents an external inbound caller from dialing *2
To override this behavior set this to FALSE.
These fixes will be available through our Software Update later today (April, 20, 2016).
RE: Security Issue
RE: Security Issue
1. An external caller dials into a FreePBX based system and gets the incoming call answered (by dialing an extension - they would have to guess a valid extension on the system, by going through an IVR to some extension, using a directory, by reaching an operator, etc.)
2. Once the call is answered by an extension on the system (transfer cannot be used otherwise), the external caller presses *2 to invoke the Asterisk Built-in Attended Transfer feature. FreePBX based systems in their default configuration allow external callers to use this feature.
3. When the attended transfer is invoked, the external caller is presented with a dial tone and can dial any external destination allowed by the system.
From the perspective of the receiving party (extension, operator, etc.), they would describe it as - my phone was ringing, I answered and almost immediately I heard music on hold, so I hung up.
The easiest workaround for this security issue is to change the default feature code for Asterisk Built-in Attended Transfer from the default *2 to something else. The caller won't have any idea how to invoke the attended transfer and therefore won't be able to use the feature to make the external call.
RE: Security Issue