The SysAdminMan blog has posted a new article related to FreePBX security, that I strongly urge you to read if you are running FreePBX or any FreePBX-based distribution:
FreePBX security advisory – SIP extension types
The basic issue is that by default, FreePBX sets extensions to type=friend rather than the more secure type=peer. The article says it’s for historical reasons but I suspect there have been other reasons at play here (pure stubbornness, perhaps?). But with the growing body of evidence that type=friend is bad, and because FreePBX now has an Advanced Settings module that allows you to to change certain defaults (though not yet this one), I have put in a Feature Request asking that system administrators be allowed to select a default type for extensions. We’ll see if it goes anywhere (and it might help if anyone who supports this idea would add a comment to that ticket), but given that in the past they’ve been reluctant to even entertain the idea of changing the default, I fear that they may once again refuse to even consider it. And for those of us who want to keep our systems as secure as reasonably possible, that would be a real shame.
My read of this is that it only applies to systems with SIP ports open to the internet. Can you confirm?
No, because I’m not a security expert. But as an educated guess, I’d think that if you don’t have and SIP or IAX2 ports open to the Internet, an attacker would have to find some kind of back door into your system before they could make use of this vulnerability.
If anyone else cares to comment on this, please feel free, especially if you have more knowledge of this than I.
NOTICE: All comments above this one were imported from the original Michigan Telephone Blog and may or may not be relevant to the edited article above.