FOP2 Manager vulnerability

edited November 18 in Blog

For a couple of days we have received reports of compromised servers from FOP2 users. A preliminary analysis seems to indicate that indeed the attack vector is part of the FOP2 Manager (http://your.server/fop2/admin), more specifically in the files downloadfile.php and chunkdonwloadhelper.php

In case you have the FOP2 interface exposed to the internet and as an urgent measure we suggest you perform the following actions until we can confirm the problem and provide definitive measures to avoid the problem.

Log into your FOP2 Manager dashboard at https://your.server/fop2/admin
You should see the new 1.2.4 version available. Upgrade directly from there. Once done, your server won't be vulnerable any longer.

To find out if your server was already compromised you can check for the existence of the following files that are not part of FOP2 but are injected by attackers to download and run a cryptocurrency mining script:

ls -la /var/www/html/fop2/lang/index.php
ls -la /var/www/html/fop2/lang/ko.php

If you have any of these two files, your computer was compromised, you should delete these files immediately.

Comments

  • We have just released FOP2 Manager version 1.2.4 that fixes the vulnerability. You should be able to upgrade directly from the FOP2 Manager dashboard.

    We also updated all release tarballs from our repositories. That means that if you reinstall FOP2 from a file downloaded from our sites, it will included the patched files already (From version 2.28 to 2.31.33).

  • Another file that might indicate your FreePBX server was compromised is this one:

    /var/www/html/admin/assets/js/modgettext.js

    If it has the word "eval" in it, then it was modified/replaced with malicious code, you can check with the command:

    grep eval /var/www/html/admin/assets/js/modgettext.js

    If i returns anything, then that file was compromised and you need to restore it from the original source (freepbx rpms).

  • Hi Nicolas,

    Some of my servers have the ability to upgrade within the panel and others don't show the upgrade at all. Is there another way to update?

    I have several servers that have been impacted by this.

  • If you are within the yearly support/upgrades, you can upgrade to the latest version with this command:

    wget -O - http://download.fop2.com/upgrade_fop2.sh | bash
    

    If you are not within the year, then you can download the same FOP2 version from our site (www.fop2.com/download.php), extract and install over (all previous affected versions are already patched). Suppose you have version 2.29.03 and you want to reinstall, you should do this (assuming you have FreePBX/Issabel based on Centos 64 bits:

    cd /usr/src
    wget download.fop2.com/fop2-2.29.03-centos-x86_64.tgz
    tar zxvr fop2-2.29.03-centos-x86_64.tgz
    cd fop2
    make install
    

    If you have other versions, follow the naming convention to get the appropriate one (you can check versions by running /usr/local/fop2/fop2_server -v)

    Best regards,

  • @nicolas when I attempt to update via the 2nd method I get an error saying the license is invalid. When I did a license test I see

        Flash Operator Panel 2 - Valid License (/usr/local/fop2/fop2.lic)
        Flash Operator Panel 2 - Featureset: Basic
        Flash Operator Panel 2 - Allowed Tenants: 5
       Connection to manager OK (021006)!
    

    When I try to revoke I can't because I don't know the license for this specific server. Any way to find that out?

  • For convenience's sake, I've made a nice little one-liner for everyone to copy/paste into their FreePBX CLI:

    cd /usr/src && wget download.fop2.com/fop2-$(/usr/local/fop2/fop2_server --version | cut -d " " -f 3)-centos-x86_64.tgz && tar -zxvf fop2-$(/usr/local/fop2/fop2_server --version | cut -d " " -f 3)-centos-x86_64.tgz && cd /usr/src/fop2 && make install

    (something something don't copy/paste code you find on the internet, with great power comes great responsibility, results may vary, etc etc)

    Also:
    Just to make sure I'm understanding this correctly, you've patched the vulnerability in all versions of FOP2, and then we're supposed to re-install the version of FOP2 that we already have onto itself. Is that correct?
    In my testing, the make install fails, with "Reactivation failed! (EXPIRED)", which is correct - our maintenance licenses are not up-to-date, and that's fine as far as we're concerned. However, this appears to prevent the re-installation from occurring - a file I deliberately broke in the web GUI was not overwritten with a new file from the installer after running my above script. Am I misinterpreting my test, or do we have to buy maintenance licenses for every one of our FOP2 installations in order to perform this patch?

Sign In or Register to comment.