A Word about Switchvox, FreePBX and PBXact Security

Owned by Nathaniel Halbrooks
Oct 09, 2024
2 min read

A Word about Switchvox, FreePBX and PBXact Security:

 

Please note that this “issue” does not affect any version of Switchvox On-Premise or Switchvox Cloud. This also does not affect the phones themselves but a legacy end-of-life Digium phone module for an Open Source product. If you would like more information, please see below. 

 

On July 15, 2022, Paloalto Networks published a blog describing that they were monitoring a high volume of malicious IP traffic targeting PBX systems. The blog post states that this traffic is likely intended to exploit FreePBX CVE CVE-2021-45461. Unfortunately, the blog fails to point out that details for this CVE have been published and a patch released for some time. The writer also appears to have only a superficial knowledge of Asterisk-based PBXs. There is much confusion throughout between the Asterisk project (OSS telephony engine) with the Elastix project (EOL PBX based on Asterisk). There is further confusion between the PBX software module intended to configure Digium phones and the actual hardware phones manufactured by Digium.

 

While the blog post appears to have lots of detail, there is really no technical depth. It does not appear to identify any new vulnerabilities, nor does it do a good job of describing the known ones. What it does do is serve as a reminder to be vigilant about security. To clarify some of the possible questions raised by this publication:

 

  • Like any software system, FreePBX and PBXact systems that are not kept up to date can be vulnerable. A solid security plan must include regular maintenance, and all administrators are strongly encouraged to keep current on PBX modules and system services. With FreePBX and PBXact, this is done using the Updates option from the Admin Menu. There are PBX dashboard notifications displayed on the rare occasion when there are security updates pending.

 

  • The abandoned Elastix project mentioned in the blog post was an Asterisk-based PBX system that went end of life sometime late in 2016. Anyone running an EOL Elastix system in production needs to prioritize migrating to something supported. A backup taken on an old Elastix 2.5 system should be restorable to FreePBX or PBXact 15+, with most of the configuration being restored, though there will often be some minor cleanup after restoring from such an old version. The FreePBX engineering team has spent considerable effort ensuring that restores from legacy versions can be restored to current 15+ systems.

 

Apart from the FreePBX and PBXact Phone Apps module version specifically linked in the CVE above, no other Sangoma VoIP software or hardware products are affected. This includes Switchvox, Digium, and Sangoma VoIP endpoints, Gateways, and SBCs.  The blog mentions Digium phones, but in doing so, confuses telephones with the PBX software module used for provisioning Digium phones. As of this writing, there are no reported security issues that have not been addressed with CVS and published fixes.

Unable to render {include} The included page could not be found.