vicidial.org

[mflorell]

Please read this carefully as it contains important information regarding the security of your VICIdial system.

Due to the recent discovery of two new security risks in the admin and agent web interface code, we have rolled out an update to the VICIdial code-base. These vulnerabilities have already been patched in the open-source codebase. Any system that is at SVN revision 3848 or greater already has these changes(July 8, 2024). If your system is below that version, we strongly recommend that you upgrade VICIdial to address these concerns.

Instructions for how to connect to our public SVN server to get the latest code are available here:
http://wiki.vicidial.org/doku.php?id=svn

You can also find recent snapshots of the svn code available here:
https://www.vicidial.org/svn_trunk_nightly/

If you have a VICIhost account with us, know that we have already upgraded all servers and there is nothing that needs to be done on your end.

This Upgrade Notice covers two separate CVEs that have been published in the last week. These vulnerabilities involve PHP specifically, most of them require authenticated user access to your VICIdial system to exploit. Most of these exploits involved incomplete PHP input variable filtering.
Here are the details on the two CVEs:
https://korelogic.com/Resources/Advisor ... 24-011.txt
https://korelogic.com/Resources/Advisor ... 24-012.txt

If you have any questions about this notice, please contact us or reply to this post.

[carpenox]

Dozens of people were hit this weekend. I woke up to over 50 messages from people in the community saying they could not see the "lists" page and could not manage dial controls on there campaigns, new campaigns, lists, users and phones added to their setups. It was wild.

[mflorell]

We do have a release schedule we usually go through when there are vulnerabilities like these, and this security researcher really pushed to disclose as soon as possible, and when we had delays that threw us off our schedule, that is why our public disclosure came out after the release. But in addition to this, this "security researcher" promoted this vulnerability very heavily on social media, to a level we've never seen before, the number of posts mentioning it on Twitter easily eclipse any other past vulnerability report for VICIdial that I've ever seen before.

[carpenox]

Yea its been really bad, the sql to enumerate users and passwords and then the RCE to plant miners, ddos bots, take full control of admin and the servers themselves. definitely the worst ones Ive seen yet.

[njr]

Just FYI, still check no matter what SVN version. I'm on 3870, upgraded 8/31, and still had an incident. Not sure of full scope yet, but at least one campaign added and the missing Campaign Dial, etc. Luckily, not much more than that. My fault for still having the 6666 user. Just one of those things that I always meant to get to...so if that's also you, do it now

Update: Further info. I found that the attack happened on my secondary webserver, which is also a dialer and then just used as a web server as needed and for testing custom pages. This server is on 3870, but the web-related files were apparently not updated. So, be sure to check that VERM_AJAX_functions.php has at least this in the changelog at the top:
# CHANGELOG:
# 220825-1608 - First build
# 240709-2151 - Added input variable filtering
# 240801-1130 - Code updates for PHP8 compatibility
#

The last one is Aug 1, which is later than when 3848 was released.

[carpenox]

Kind of scary that 3870 was hit, I do see the ajax function was upgraded with maanager_send at 3848, but no update notes on the ajax file?

[carpenox]

turned out that 3870 wasnt hit, it was an asterisk server in his cluster that wasnt updated and https was open on

[njr]

turned out that 3870 wasnt hit, it was an asterisk server in his cluster that wasnt updated and https was open on

I added an edit. To clarify though, the server was indeed updated, but the web-related files weren't. However, this could be unique to my setup. Regardless, I would still recommending the file I mentioned in my update

[mtendemichael]

Thank you for this