theislandtech
Technical User
Incoming external caller can dial *2(in call attended transfer)or ##(in call blind transfer) plus any allowed number and be transferred to that number !
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Security Issue 1
- Thread starter theislandtech
- Start date
- Status
emtsupport
Vendor
Review the Asterisk Dial Options on the Advanced Settings page. Specifically, you will want to look at the T and the t.
By default these allow transfers and are enabled. Adjust them if you are concerned about an external caller being able to transfer a call.
By default these allow transfers and are enabled. Adjust them if you are concerned about an external caller being able to transfer a call.
- Thread starter
- #3
theislandtech
Technical User
Certain conditions could break follow-me, without those options
If anyone is interested in more information about this issue, you can take a look at
emtsupport
Vendor
We should have this addressed within 48 hours.
- Thread starter
- #6
theislandtech
Technical User
There is a simple fix but i requires root access!
- Thread starter
- #8
theislandtech
Technical User
Works on non E-MetroTel systems
Code:
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a rYou don't need to have the root access for this change. ![[wink]](/data/assets/smilies/wink.gif "[wink] [wink]")
To do exactly what you described, just open the UCx management GUI and
[ul]
[li]Navigate to PBX - PBX Configuration - Advanced Settings[/li]
[li]Locate the section "Dialplan and Operational" on that page[/li]
[li]Change the value of "Asterisk Dial Options" from the default "Ttr" to "tr" (i.e., remove the capital T)[/li]
[li]Press the checkmark beside "Asterisk Dial Options" to save the modification of this option[/li]
[li]Change the value of "Asterisk Outbound Trunk Dial Options" from the default "Tt" to "" (i.e., remove the Tt)[/li]
[li]Press the checkmark beside "Asterisk Outbound Trunk Dial Options" to save the modification of this option[/li]
[li]Press the pink bar Apply Config at the top of the page to apply these changes[/li]
[/ul]
Now, making these changes is NOT a solution/fix. The first change eliminates the security problem, but it also changes the behavior of the system. With this change, users won't be able to use transfer features in various situations. The Find Me/Follow Me feature can also be impacted. I can ensure you that many people won't like this change. The second change is for outbound calls - it is significantly less likely that someone would exploit that. I would recommend only the first change as a workaround until a real fix is available. A proper solution is more complicated...
To do exactly what you described, just open the UCx management GUI and[ul]
[li]Navigate to PBX - PBX Configuration - Advanced Settings[/li]
[li]Locate the section "Dialplan and Operational" on that page[/li]
[li]Change the value of "Asterisk Dial Options" from the default "Ttr" to "tr" (i.e., remove the capital T)[/li]
[li]Press the checkmark beside "Asterisk Dial Options" to save the modification of this option[/li]
[li]Change the value of "Asterisk Outbound Trunk Dial Options" from the default "Tt" to "" (i.e., remove the Tt)[/li]
[li]Press the checkmark beside "Asterisk Outbound Trunk Dial Options" to save the modification of this option[/li]
[li]Press the pink bar Apply Config at the top of the page to apply these changes[/li]
[/ul]
Now, making these changes is NOT a solution/fix. The first change eliminates the security problem, but it also changes the behavior of the system. With this change, users won't be able to use transfer features in various situations. The Find Me/Follow Me feature can also be impacted. I can ensure you that many people won't like this change. The second change is for outbound calls - it is significantly less likely that someone would exploit that. I would recommend only the first change as a workaround until a real fix is available. A proper solution is more complicated...
- Thread starter
- #10
theislandtech
Technical User
On non UCX systems in my lab, the GUI options did not give the desired results whereas the cmd line did.
The advanced settings page is used to change values in the freepbx_settings database table - so, the GUI page does exactly what you did, but without the need to understand SQL. I suspect you might have missed the "Press the checkmark beside the option to save the modification".
- Thread starter
- #12
theislandtech
Technical User
fraid not pressed checkmark and clicked apply
-
1
- #13
emtsupport
Vendor
We have addressed this issue in all three versions of our UCx product line (4.0, 4.5 and the upcoming 5.0)
It took a bit longer to do it correctly, but we feel good about the work we have done to address this.
We have added a TRUE/FALSE control on the Advanced Settings page of the gui under the Dialplan and Operational section. The field is labeled: "Disallow Transfers for Inbound Callers" and it defaults to TRUE, which prevents an external inbound caller from dialing *2
To override this behavior set this to FALSE.
These fixes will be available through our Software Update later today (April, 20, 2016).
It took a bit longer to do it correctly, but we feel good about the work we have done to address this.
We have added a TRUE/FALSE control on the Advanced Settings page of the gui under the Dialplan and Operational section. The field is labeled: "Disallow Transfers for Inbound Callers" and it defaults to TRUE, which prevents an external inbound caller from dialing *2
To override this behavior set this to FALSE.
These fixes will be available through our Software Update later today (April, 20, 2016).
getsomesun1
Technical User
emtsupport, will this fix affect any other transfer function?
BTW - if anyone is wondering how the exploit works, here is the scenario:
1. An external caller dials into a FreePBX based system and gets the incoming call answered (by dialing an extension - they would have to guess a valid extension on the system, by going through an IVR to some extension, using a directory, by reaching an operator, etc.)
2. Once the call is answered by an extension on the system (transfer cannot be used otherwise), the external caller presses *2 to invoke the Asterisk Built-in Attended Transfer feature. FreePBX based systems in their default configuration allow external callers to use this feature.
3. When the attended transfer is invoked, the external caller is presented with a dial tone and can dial any external destination allowed by the system.
From the perspective of the receiving party (extension, operator, etc.), they would describe it as - my phone was ringing, I answered and almost immediately I heard music on hold, so I hung up.
The easiest workaround for this security issue is to change the default feature code for Asterisk Built-in Attended Transfer from the default *2 to something else. The caller won't have any idea how to invoke the attended transfer and therefore won't be able to use the feature to make the external call.
1. An external caller dials into a FreePBX based system and gets the incoming call answered (by dialing an extension - they would have to guess a valid extension on the system, by going through an IVR to some extension, using a directory, by reaching an operator, etc.)
2. Once the call is answered by an extension on the system (transfer cannot be used otherwise), the external caller presses *2 to invoke the Asterisk Built-in Attended Transfer feature. FreePBX based systems in their default configuration allow external callers to use this feature.
3. When the attended transfer is invoked, the external caller is presented with a dial tone and can dial any external destination allowed by the system.
From the perspective of the receiving party (extension, operator, etc.), they would describe it as - my phone was ringing, I answered and almost immediately I heard music on hold, so I hung up.
The easiest workaround for this security issue is to change the default feature code for Asterisk Built-in Attended Transfer from the default *2 to something else. The caller won't have any idea how to invoke the attended transfer and therefore won't be able to use the feature to make the external call.
emtsupport
Vendor
No Transfers are impacted, this just restricts what external callers have access to.
- Status