freeswitch icon indicating copy to clipboard operation
freeswitch copied to clipboard

Published 20 hours ago verified publisher icon signalwire

Well known hard-coded password used to secure event socket

Open PortableNuke opened this issue 5 years ago • 4 comments

The NIST have flagged the use of a well know and hard-coded password in the mod_event_socket module as a security flaw in all versions since 1.6.10.

The password that controls access to the event socket is stored in plain text form in the event_socket.conf.xml file. Also, should the password value not be found in the configuration file the code falls back on the same value which is embedded within the code itself (again in plai ntext).

PortableNuke avatar Jun 15 '20 21:06 PortableNuke

Note that by default event socket is only listening on localhost. we do NOT recommend ever making this available even off host, let alone the public internet, even with other precautions in place.

mjerris avatar Jun 15 '20 22:06 mjerris

That password is ClueCon BTW be sure to attend!

On Mon, Jun 15, 2020 at 5:45 PM Michael Jerris [email protected] wrote:

Note that by default event socket is only listening on localhost. we do NOT recommend ever making this available even off host, let alone the public internet, even with other precautions in place.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/signalwire/freeswitch/issues/694#issuecomment-644427462, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEAFFN6RNLVVBCQBFYII2TRW2QAFANCNFSM4N6X67EA .

-- Anthony Minessale II Founder, FreeSWITCH. http://freeswitch.com

https://youtu.be/l_hOxzCt6X4 https://www.youtube.com/watch?v=oAxXgyx5jUw https://www.youtube.com/watch?v=9XXgW34t40s https://www.youtube.com/watch?v=NLaDpGQuZDA

anthmFS avatar Jun 16 '20 00:06 anthmFS

Whilst the password being in plaintext is a concern in itself, I'd be more concerned by the elevation of privilege exploit that the embedded default values offers. By removing entries in the file, or indeed removing the file itself, a local user can gain access to the port and use it to run commands at an elevated privilege (for example, when set up as a windows service the default account used is Local System). Is there a reason why the module always loads (with default values for all those not provided) rather than failing to load and reporting the fact in the log?

PortableNuke avatar Feb 02 '21 09:02 PortableNuke

I agree with the concerns of the OP, and furthermore after just reading https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket and discovering that the vanilla install opens connections to the world via <param name="listen-ip" value="::"/> I wonder why it isn't instead the recommended value <param name="listen-ip" value="::1"/> for localhost-only.

David-dp- avatar Jul 23 '22 00:07 David-dp-