Asterisk

Earlier this week, the security team at Digium released Asterisk Projects Security Advisory AST-2009-010 identifying an interesting attack where an attacker can send a malformed RTP packet within the RTP stream and crash the Asterisk system. The fix identified is to upgrade to the latest version of Asterisk.

My one bit of feedback to the folks at Digium would be that their advisories do not provide any information about mitigating circumstances. (Would be great if they could add such a section.)

We all know the bad ugly truth: Most people do not update their PBX software to handle the latest security vulnerabilities. As long as your PBX can receive incoming client connections you are at risk. Not because you have given your user weak user name / password combinations, but because your PBX has a security flaw you did not know about.

Common solutions

Let’s face it: PBX security is not as sexy as operating systems or web security. When did you last read about a security flaw in a PBX product in the main stream IT-press? Compare this to any mention of a OS or web security hole.

Digium releasesthe TCE400B PCI Express card for use with voice applications based on the open sourceAsterisk telephony platform. The new card provides hardware-based voice compressionand decompression (codec) capabilities to shift transcoding from software to hardware.Using the TCE400B in place of a software-only solution places fewer demands on serversand frees up Asterisk to more efficiently process calls and to provide functionalityfor phone systems such as call recording, conference calling and interactive voiceresponse.

If you are an Asterisk user, you should be aware that Digium has released AST-2009-001 Information leak in IAX2 authentication. The description is:

IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts.

 

Bookmark/Search this post with:

• 
• 
• 
• 
• 
• 
• 

Digium is proud to announce the winners of the 2008 Digium Innovation Awards. The company announced the winners today at AstriCon, the industry conference and exhibition dedicated to Asterisk. The Innovation Awards recognize innovation, enterprise-class solutions, measurable return on investment, and use of Asterisk in businesses outside of the communications industry.

Can Asterisk really be used to ?unmask?blocked Caller-ID and show the private number?

Well, yes? but it really has less to do with Asterisk then it does with not respecting the signaling sent to you by a SIP trunking provider. It?s conceivable that any IP-PBX could be configured to allow you to do this? and points to a larger issue with trust boundaries between SIP Service Providers (a.k.a. Internet Telephony Service Providers or ITSPs) and their customers.

THE ?HACK?

The security team over at Digium today released two new security advisories. In both cases, the fixes are in the latest version of Asterisk and all Asterisk users should upgrade to those new versions.

AST-2008-010 - IAX2 ?POKE? RESOURCE EXHAUSTION

Over on Bugtraq, another Asterisk vulnerability has been announced. Several buffer overflows affect the below version:

??????????????????????-
Package / Vulnerable / Unaffected
??????????????????????-
1 net-misc/asterisk = 1.2.17-r1
>= 1.2.21.1-r1

This one comes with an admonishment to upgrade to the latest patch:

All Asterisk users should upgrade to the latest version:

Digium introduces a new subscription-based service offering designed to give Digium Asterisk customers and partners faster, easier and unlimited access to Digium service and support. Offered in Silver, Gold and Platinum levels, Digium?s subscription-based services will be available for all business-class products beginning with the Digium Asterisk Appliance, now available.

The voice communications market continues to experience rapid growth with more companies evaluating and choosing open source as a cost-effective and flexible alternative to proprietary telephony solutions.

Last week the folks at Digium released 4 security advisories on their www.asterisk.org/security web site. They are: