Security Issue Security Issue theislandtech (TechnicalUser) (OP) 18 Apr 16 19:49 Incoming external caller can dial *2(in call attended transfer)or ##(in call blind transfer) plus any allowed number and be transferred to that number ! RE: Security Issue emtsupport (Vendor) 18 Apr 16 21:09 Review the Asterisk Dial Options on the Advanced Settings page. Specifically, you will want to look at the T and the t. By default these allow transfers and are enabled. Adjust them if you are concerned about an external caller being able to transfer a call. RE: Security Issue theislandtech (TechnicalUser) (OP) 18 Apr 16 21:37 Certain conditions could break follow-me, without those options RE: Security Issue ucxguy (Programmer) 19 Apr 16 13:01 If anyone is interested in more information about this issue, you can take a look at http://issues.freepbx.org/browse/FREEPBX-12058 RE: Security Issue emtsupport (Vendor) 19 Apr 16 20:51 We should have this addressed within 48 hours. RE: Security Issue theislandtech (TechnicalUser) (OP) 19 Apr 16 23:18 There is a simple fix but i requires root access! RE: Security Issue ucxguy (Programmer) 20 Apr 16 11:23 theislandtech, why don't you describe the simple fix? There could be a way to use it without root access... RE: Security Issue theislandtech (TechnicalUser) (OP) 20 Apr 16 11:52 Works on non E-MetroTel systems CODE --> mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1" mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1" amportal a r RE: Security Issue ucxguy (Programmer) 20 Apr 16 12:48 You don't need to have the root access for this change. To do exactly what you described, just open the UCx management GUI and Navigate to PBX - PBX Configuration - Advanced SettingsLocate the section "Dialplan and Operational" on that pageChange the value of "Asterisk Dial Options" from the default "Ttr" to "tr" (i.e., remove the capital T)Press the checkmark beside "Asterisk Dial Options" to save the modification of this optionChange the value of "Asterisk Outbound Trunk Dial Options" from the default "Tt" to "" (i.e., remove the Tt)Press the checkmark beside "Asterisk Outbound Trunk Dial Options" to save the modification of this optionPress the pink bar Apply Config at the top of the page to apply these changesNow, making these changes is NOT a solution/fix. The first change eliminates the security problem, but it also changes the behavior of the system. With this change, users won't be able to use transfer features in various situations. The Find Me/Follow Me feature can also be impacted. I can ensure you that many people won't like this change. The second change is for outbound calls - it is significantly less likely that someone would exploit that. I would recommend only the first change as a workaround until a real fix is available. A proper solution is more complicated... RE: Security Issue theislandtech (TechnicalUser) (OP) 20 Apr 16 13:06 On non UCX systems in my lab, the GUI options did not give the desired results whereas the cmd line did. RE: Security Issue ucxguy (Programmer) 20 Apr 16 13:13 The advanced settings page is used to change values in the freepbx_settings database table - so, the GUI page does exactly what you did, but without the need to understand SQL. I suspect you might have missed the "Press the checkmark beside the option to save the modification". RE: Security Issue theislandtech (TechnicalUser) (OP) 20 Apr 16 14:35 fraid not pressed checkmark and clicked apply RE: Security Issue emtsupport (Vendor) 20 Apr 16 16:54 We have addressed this issue in all three versions of our UCx product line (4.0, 4.5 and the upcoming 5.0) It took a bit longer to do it correctly, but we feel good about the work we have done to address this. We have added a TRUE/FALSE control on the Advanced Settings page of the gui under the Dialplan and Operational section. The field is labeled: "Disallow Transfers for Inbound Callers" and it defaults to TRUE, which prevents an external inbound caller from dialing *2 To override this behavior set this to FALSE. These fixes will be available through our Software Update later today (April, 20, 2016). RE: Security Issue getsomesun1 (TechnicalUser) 20 Apr 16 19:05 emtsupport, will this fix affect any other transfer function? RE: Security Issue ucxguy (Programmer) 20 Apr 16 19:22 BTW - if anyone is wondering how the exploit works, here is the scenario: 1. An external caller dials into a FreePBX based system and gets the incoming call answered (by dialing an extension - they would have to guess a valid extension on the system, by going through an IVR to some extension, using a directory, by reaching an operator, etc.) 2. Once the call is answered by an extension on the system (transfer cannot be used otherwise), the external caller presses *2 to invoke the Asterisk Built-in Attended Transfer feature. FreePBX based systems in their default configuration allow external callers to use this feature. 3. When the attended transfer is invoked, the external caller is presented with a dial tone and can dial any external destination allowed by the system. From the perspective of the receiving party (extension, operator, etc.), they would describe it as - my phone was ringing, I answered and almost immediately I heard music on hold, so I hung up. The easiest workaround for this security issue is to change the default feature code for Asterisk Built-in Attended Transfer from the default *2 to something else. The caller won't have any idea how to invoke the attended transfer and therefore won't be able to use the feature to make the external call. RE: Security Issue emtsupport (Vendor) 20 Apr 16 19:34 No Transfers are impacted, this just restricts what external callers have access to.