Recommended VICIdial Security Upgrade Notice: September 2024

Projects needing sponsorship, and bounties for projects

Moderators: Staydog, mflorell, MJCoate, mcargile, Kumba

Recommended VICIdial Security Upgrade Notice: September 2024

Postby mflorell » Tue Sep 17, 2024 7:48 am

Please read this carefully as it contains important information regarding the security of your VICIdial system.

Due to the recent discovery of two new security risks in the admin and agent web interface code, we have rolled out an update to the VICIdial code-base. These vulnerabilities have already been patched in the open-source codebase. Any system that is at SVN revision 3848 or greater already has these changes(July 8, 2024). If your system is below that version, we strongly recommend that you upgrade VICIdial to address these concerns.

Instructions for how to connect to our public SVN server to get the latest code are available here:
http://wiki.vicidial.org/doku.php?id=svn

You can also find recent snapshots of the svn code available here:
https://www.vicidial.org/svn_trunk_nightly/

If you have a VICIhost account with us, know that we have already upgraded all servers and there is nothing that needs to be done on your end.

This Upgrade Notice covers two separate CVEs that have been published in the last week. These vulnerabilities involve PHP specifically, most of them require authenticated user access to your VICIdial system to exploit. Most of these exploits involved incomplete PHP input variable filtering.
Here are the details on the two CVEs:
https://korelogic.com/Resources/Advisor ... 24-011.txt
https://korelogic.com/Resources/Advisor ... 24-012.txt

If you have any questions about this notice, please contact us or reply to this post.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Recommended VICIdial Security Upgrade Notice: September

Postby carpenox » Tue Sep 17, 2024 9:44 am

Dozens of people were hit this weekend. I woke up to over 50 messages from people in the community saying they could not see the "lists" page and could not manage dial controls on there campaigns, new campaigns, lists, users and phones added to their setups. It was wild.
Alma Linux 9.5 | SVN Version: 3892 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2445
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Recommended VICIdial Security Upgrade Notice: September

Postby mflorell » Tue Sep 17, 2024 9:34 pm

We do have a release schedule we usually go through when there are vulnerabilities like these, and this security researcher really pushed to disclose as soon as possible, and when we had delays that threw us off our schedule, that is why our public disclosure came out after the release. But in addition to this, this "security researcher" promoted this vulnerability very heavily on social media, to a level we've never seen before, the number of posts mentioning it on Twitter easily eclipse any other past vulnerability report for VICIdial that I've ever seen before.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Recommended VICIdial Security Upgrade Notice: September

Postby carpenox » Wed Sep 18, 2024 10:03 am

Yea its been really bad, the sql to enumerate users and passwords and then the RCE to plant miners, ddos bots, take full control of admin and the servers themselves. definitely the worst ones Ive seen yet.
Alma Linux 9.5 | SVN Version: 3892 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2445
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Recommended VICIdial Security Upgrade Notice: September

Postby njr » Wed Sep 18, 2024 10:31 am

Just FYI, still check no matter what SVN version. I'm on 3870, upgraded 8/31, and still had an incident. Not sure of full scope yet, but at least one campaign added and the missing Campaign Dial, etc. Luckily, not much more than that. My fault for still having the 6666 user. Just one of those things that I always meant to get to...so if that's also you, do it now :)

Update: Further info. I found that the attack happened on my secondary webserver, which is also a dialer and then just used as a web server as needed and for testing custom pages. This server is on 3870, but the web-related files were apparently not updated. So, be sure to check that VERM_AJAX_functions.php has at least this in the changelog at the top:
# CHANGELOG:
# 220825-1608 - First build
# 240709-2151 - Added input variable filtering
# 240801-1130 - Code updates for PHP8 compatibility
#

The last one is Aug 1, which is later than when 3848 was released.
Last edited by njr on Wed Sep 18, 2024 11:52 am, edited 1 time in total.
Vicibox 11 from .iso installed/set up by Vicidial | Vicidial 2.14-900a Build: 231115-1636 | Asterisk 16.30.0-vici | 10-server cluster (1 primary DB, 1 primary web, 8 asterisk) in Colo DC | OpenSIPS on web as LB | 10x Dell R740XD
njr
 
Posts: 17
Joined: Fri Dec 08, 2023 1:41 pm

Re: Recommended VICIdial Security Upgrade Notice: September

Postby carpenox » Wed Sep 18, 2024 11:21 am

Kind of scary that 3870 was hit, I do see the ajax function was upgraded with maanager_send at 3848, but no update notes on the ajax file?
Alma Linux 9.5 | SVN Version: 3892 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2445
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Recommended VICIdial Security Upgrade Notice: September

Postby carpenox » Tue Sep 24, 2024 9:02 am

turned out that 3870 wasnt hit, it was an asterisk server in his cluster that wasnt updated and https was open on
Alma Linux 9.5 | SVN Version: 3892 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2445
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Recommended VICIdial Security Upgrade Notice: September

Postby njr » Tue Sep 24, 2024 12:59 pm

carpenox wrote:turned out that 3870 wasnt hit, it was an asterisk server in his cluster that wasnt updated and https was open on

I added an edit. To clarify though, the server was indeed updated, but the web-related files weren't. However, this could be unique to my setup. Regardless, I would still recommending the file I mentioned in my update :)
Vicibox 11 from .iso installed/set up by Vicidial | Vicidial 2.14-900a Build: 231115-1636 | Asterisk 16.30.0-vici | 10-server cluster (1 primary DB, 1 primary web, 8 asterisk) in Colo DC | OpenSIPS on web as LB | 10x Dell R740XD
njr
 
Posts: 17
Joined: Fri Dec 08, 2023 1:41 pm

Re: Recommended VICIdial Security Upgrade Notice: September

Postby mtendemichael » Thu Oct 24, 2024 8:34 am

Thank you for this
mtendemichael
 
Posts: 1
Joined: Wed Jul 18, 2018 3:10 am


Return to Projects

Who is online

Users browsing this forum: No registered users and 2 guests