Security Threat Discovered; Suggested Solution Described

Affected Products

All Xorcom IP-PBX models (XR1nnn, XR2nnn, XR3nnn, XE2nnn, XE3nnn) running Elastix 1.x

Problem

Protect Your Elastix Server from Infiltrators

Protect Your Elastix Server from Infiltrators

It recently came to our attention that it is possible to login to the Elastix server unembedded FreePBX Web interface (http://address/admin) with user name ‘asteriskuser’ and password ‘eLaStIx.asteriskuser.2oo7’. The user name and password are the same user name and password used by FreePBX to access the ‘asterisk’ MySQL database. They are defined in the parameters AMPDBUSER and AMPDBPASS in the /etc/amportal.conf file.

Note: The option to log in with AMPDBUSER and AMPDBPASS is a standard feature of FreePBX. While the original Elastix FreePBX package contains a patch to close this ‘back door’, the FreePBX modules update operation overwrites the patch and the back door is re-opened.

The problem is that most Elastix users do not change the default password, and some immoral people have discovered this security breach and can use it to make calls at someone else’s expense. The procedure of changing password is a little bit complicated. It is not sufficient to define a new password in the /etc/amportal.conf file, the MySQL settings must also be changed.

Solution

In response to this security threat Xorcom has developed a simple script that allows Elastix users to change the password easily. In order to install the script, do the following:

cd /tmp

wget http://updates.xorcom.com/~xorcom/xr-addons-1.00-0.noarch.rpm

rpm -Uvh xr-addons-1.00-0.noarch.rpm

ampasswd new_your_password

 

4 Comments

  1. xorcompbxNo Gravatar says:

    !!IMPORTANT UPDATE!!
    Unfortunately, the solution we originally proposed above disables Asterisk CDR recording to the MySQL ‘asteriskcdrdb’ database. In addition, the Elastix Graphic Report functionality is adversely affected. Therefore, we now propose a different solution for the problem. This solution restores the original password for ‘asteriskuser’ (eLaStIx.asteriskuser.2oo7) and re-applies the original Elastix patch for the /var/www/html/admin/header_auth.php file that prevents the fall back login option with AMPDBUSER/AMPDBPASS to the unembedded FreePBX Web interface.

    UPDATED SOLUTION

    Note: This script is valid for 1.5.n-1.6.n versions of Elastix.

    Users who have changed the password as per the original ‘Security Threat Discovered’ alert* as well as users who have not should run the updated script as follows:

    cd /tmp

    wget http://updates.xorcom.com/~xorcom/xr-addons-2.00-0.noarch.rpm

    rpm -Uvh xr-addons-2.00-0.noarch.rpm

    ampasswd

    *Users who have changed the password as per the original ‘Security Threat Discovered’ alert must restart Asterisk after running this script.

    • xorcompbxNo Gravatar says:

      Note About Possible “Fail” Message:

      If you receive the following error message after running ampasswd:
      1 out of 1 hunk FAILED — saving rejects to file /var/www/html/admin/header_auth.php.rej

      Ignore it!!

      It means that the Elastix original header_auth.php file was not changed as result of unembedded FreePBX modules upgrade.

      But aren’t you glad you verified that your server is protected?!

Leave a Reply