Review the Asterisk Dial Options on the Advanced Settings page. Specifically, you will want to look at the T and the t.

By default these allow transfers and are enabled. Adjust them if you are concerned about an external caller being able to transfer a call.

Certain conditions could break follow-me, without those options

If anyone is interested in more information about this issue, you can take a look at
http://issues.freepbx.org/browse/FREEPBX-12058

We should have this addressed within 48 hours.

There is a simple fix but i requires root access!

theislandtech, why don't you describe the simple fix? There could be a way to use it without root access...

Works on non E-MetroTel systems

You don't need to have the root access for this change. To do exactly what you described, just open the UCx management GUI and

• Navigate to PBX - PBX Configuration - Advanced Settings
• Locate the section "Dialplan and Operational" on that page
• Change the value of "Asterisk Dial Options" from the default "Ttr" to "tr" (i.e., remove the capital T)
• Press the checkmark beside "Asterisk Dial Options" to save the modification of this option
• Change the value of "Asterisk Outbound Trunk Dial Options" from the default "Tt" to "" (i.e., remove the Tt)
• Press the checkmark beside "Asterisk Outbound Trunk Dial Options" to save the modification of this option
• Press the pink bar Apply Config at the top of the page to apply these changes

Now, making these changes is NOT a solution/fix. The first change eliminates the security problem, but it also changes the behavior of the system. With this change, users won't be able to use transfer features in various situations. The Find Me/Follow Me feature can also be impacted. I can ensure you that many people won't like this change. The second change is for outbound calls - it is significantly less likely that someone would exploit that. I would recommend only the first change as a workaround until a real fix is available. A proper solution is more complicated...

On non UCX systems in my lab, the GUI options did not give the desired results whereas the cmd line did.

The advanced settings page is used to change values in the freepbx_settings database table - so, the GUI page does exactly what you did, but without the need to understand SQL. I suspect you might have missed the "Press the checkmark beside the option to save the modification".

fraid not pressed checkmark and clicked apply

We have addressed this issue in all three versions of our UCx product line (4.0, 4.5 and the upcoming 5.0)

It took a bit longer to do it correctly, but we feel good about the work we have done to address this.

We have added a TRUE/FALSE control on the Advanced Settings page of the gui under the Dialplan and Operational section. The field is labeled: "Disallow Transfers for Inbound Callers" and it defaults to TRUE, which prevents an external inbound caller from dialing *2
To override this behavior set this to FALSE.

These fixes will be available through our Software Update later today (April, 20, 2016).

emtsupport, will this fix affect any other transfer function?

BTW - if anyone is wondering how the exploit works, here is the scenario:

1. An external caller dials into a FreePBX based system and gets the incoming call answered (by dialing an extension - they would have to guess a valid extension on the system, by going through an IVR to some extension, using a directory, by reaching an operator, etc.)
2. Once the call is answered by an extension on the system (transfer cannot be used otherwise), the external caller presses *2 to invoke the Asterisk Built-in Attended Transfer feature. FreePBX based systems in their default configuration allow external callers to use this feature.
3. When the attended transfer is invoked, the external caller is presented with a dial tone and can dial any external destination allowed by the system.

From the perspective of the receiving party (extension, operator, etc.), they would describe it as - my phone was ringing, I answered and almost immediately I heard music on hold, so I hung up.

The easiest workaround for this security issue is to change the default feature code for Asterisk Built-in Attended Transfer from the default *2 to something else. The caller won't have any idea how to invoke the attended transfer and therefore won't be able to use the feature to make the external call.

No Transfers are impacted, this just restricts what external callers have access to.