Security exploit of the Transfer functionality (FREEPBX-12058)


The FreePBX default feature code for the Asterisk Built-in Attended Transfer feature is *2. The default Asterisk Dial Options configured under Advanced Settings include Tt, which allows the calling and the called party to transfer calls.
If these defaults are not changed by the administrator, then they can be easilty exploited by external callers into the system.

The following describes the scenario where these defaults can be exploited:

  1. An external caller dials into a FreePBX based system and gets the incoming call answered (e.g. by dialing an extension - they have to guess a valid extension, by going through an IVR to some extension, using a directory, by reaching an operator, etc.)
  2. Once the call is answered by an extension on the system (transfer cannot be used otherwise), the external caller presses *2 to invoke the Asterisk Built-in Attended Transfer feature. FreePBX based systems in their default configuration allow external callers to use this feature.
  3. When the attended transfer is invoked, the external caller is presented with a dial tone and can dial any external destination allowed by the system.

From the perspective of the user answering the initial call (extension, operator, etc.), the user will hear the phone ring, answer it, and almost immediately hear music on hold, so they hang up.

UCx Exposure

The version of FreePBX installed and used on the UCx platform prior to April 20, 2016 does have this security vulnerability. Perform a Software Update on your UCx system to pick up the fix for this issue implemented in the following versions of FreePBX:

  • UCx Release 4.0 - FreePBX version 2.11.0-59
  • UCx Release 4.5 - FreePBX version 2.11.1-35
  • UCx Release 5.0 - FreePBX version 2.11.2-7

With this fix, the transfer feature *2 is disallowed for external inbound callers.

If you want to re-enable this capability, there is a new setting called Disallow Transfers for Inbound Callers under the Advanced Settings page. The default value for this setting is True.

You can choose to workaround this security issue by changing default feature code for Asterisk Built-in Attended Transfer from the default *2 to something else. The external caller will not know to invoke the transfer feature and therefore unable to use it to make calls.