In early 2023, the number of attacks on FreePBX Asterisk systems increased. The vulnerability exploited by hackers is the ARI interface. To gain access to the ARI interface, one must know the ARI username and password, but also the login details for the FreePBX administrative interface. This is why it is so important to use strong, hard-to-crack passwords. In the new version of FreePBX, we are shown the error: Change ARI Username Password.
The ARI user and its password are created during the FreePBX installation. The username consists of about 15 random characters, and the password of about 30 random characters. The developers of the FreePBX system discovered that for some reason on some systems the username and password are not unique.
This does not look like an error in Asterisk or FreePBX itself, so their versions are irrelevant here. If there has been a leak of ARI data, the hacker can gain access to our FreePBX system regardless of its version.
How to get rid of the “Change ARI Username Password” error
To patch the security hole, we must create a new ARI user and a new password for it. To create a new ARI user, log in to your FreePBX system and enter the command:
fwconsole rpc "ari.create_user('RANDOM_CHARACTERS', 'RANDOM_PASSWORD')"
In place of RANDOM_CHARACTERS, enter 15 random alphanumeric characters. Then create a new password with the command:
fwconsole rpc "ari.change_password('RANDOM_CHARACTERS', 'RANDOM_PASSWORD')"
In place of RANDOM_PASSWORD, enter 30 random alphanumeric characters. Next, we need to reload the settings with the command:
fwconsole reload
Finally, all you have to do is restart FreePBX with the command:
fwconsole restart
After the restart, the “Change ARI Username Password” error message should disappear.
Summary
FreePBX is an extremely secure system. However, even the most secure system will be vulnerable to hacking if easy-to-crack passwords are used and the configuration is incorrect.
Leave a Reply