ASTERWEB Blog

6Mag/110

Rilasciato Asterisk 1.8.4-rc3

logoasterisk

Il giorno 26 aprile, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.4-rc3

Dal post originale:
The release of Asterisk 1.8.4-rc3 resolves a couple of issues since the last
release candidate, including two security related issues (AST-2011-005 and
AST-2011-006).

Use SSLv23_client_method instead of old SSLv2 only.
(Closes issue #19095, #19138. Reported, patched by tzafrir. Tested by russell
and chazzam.
Resolve crash in ast_mutex_init()
(Patched by twilson)
Includes changes per AST-2011-005 and AST-2011-006

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4-rc3

Information about the security releases are available at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

6Mag/110

Rilasciato Asterisk 1.6.2.18

logoasterisk

Il giorno 26 aprile, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.18

Dal post originale:
The release of Asterisk 1.6.2.18 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

Only offer codecs both sides support for directmedia.
(Closes issue #17403. Reported, patched by one47)
Resolution of several DTMF based attended transfer issues.
(Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchuan, grecco. Patched by rmudgett)
NOTE: Be sure to read the ChangeLog for more information about these changes.
Resolve deadlocks related to device states in chan_sip
(Closes issue #18310. Reported, patched by one47. Patched by jpeeler)
Fix channel redirect out of MeetMe() and other issues with channel softhangup
(Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
Patched by russellb)
Fix voicemail sequencing for file based storage.
(Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
jpeeler)
Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
(Review: https://reviewboard.asterisk.org/r/1077/)

In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18

6Mag/110

Rilasciato Asterisk 1.4.41

logoasterisk

Il giorno 26 aprile, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.41

Dal post originale:
The release of Asterisk 1.4.41 resolves several issues reported by the community
and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

Only offer codecs both sides support for directmedia.
(Closes issue #17403. Reported, patched by one47)
Resolution of several DTMF based attended transfer issues.
(Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchuan, grecco. Patched by rmudgett)
NOTE: Be sure to read the ChangeLog for more information about these changes.
Fix channel redirect out of MeetMe() and other issues with channel softhangup
(Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
Patched by russellb)
Fix voicemail sequencing for file based storage.
(Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
jpeeler)
Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
(Review: https://reviewboard.asterisk.org/r/1077/)

In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

After the initial release of AST-2011-006, a regression was found and then
resolved. This release contains the correct change.

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.41

22Apr/110

Nuove Security Release di Asterisk: 1.4.40.1, 1.6.1.25, 1.6.2.17.3 e 1.8.3.3

logoasterisk

Il giorno 21 aprile, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3 e 1.8.3.3 (Security Releases)

Dal post originale:
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:

* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)

The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.

For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-005 and AST-2011-006 are available at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

18Mar/110

Asterisk: Rilasciate le Security Releases 1.6.1.24, 1.6.2.17.2 e 1.8.3.2

logoasterisk

Il giorno 17 marzo, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk  1.6.1.24, 1.6.2.17.2 e 1.8.3.2 (Security Releases)

Dal post originale:

This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).

The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:

  • Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
  • Remote crash vulnerability in TCP/TLS server (AST-2011-004)

The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.

For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-003 and AST-2011-004 are available at:

http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
http://downloads.asterisk.org/pub/security/AST-2011-004.pdf

17Mar/110

Asterisk: Rilasciate le Security Releases 1.6.1.23, 1.6.2.17.1 e 1.8.3.1

logoasterisk

Il giorno 17 marzo, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk  1.6.1.23, 1.6.2.17.1 e 1.8.3.1 (Security Releases)

Dal post originale:

The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:

  • Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
  • Remote crash vulnerability in TCP/TLS server (AST-2011-004)

The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.

For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-003 and AST-2011-004 are available at:

http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
http://downloads.asterisk.org/pub/security/AST-2011-004.pdf

17Mar/110

Asterisk sicurezza – AST-2011-004: Remote crash vulnerability in TCP/TLS server

logoasterisk

Questo il link per scaricare il documento in PDF:

http://downloads.asterisk.org/pub/security/AST-2011-004.pdf

17Mar/110

Asterisk sicurezza – AST-2011-003: Resource exhaustion in Asterisk Manager Interface

logoasterisk

Questo il link per scaricare il documento in PDF:

http://downloads.asterisk.org/pub/security/AST-2011-003.pdf

22Feb/110

Asterisk sicurezza – AST-2011-002: Multiple array overflow and crash vulnerabilities in UDPTL code

logoasterisk

Questo il link per scaricare il documento in PDF:

http://downloads.asterisk.org/pub/security/AST-2011-002.pdf

21Gen/110

Rilasciato Asterisk 1.8.2.2 (Security Release)

logoasterisk

Il giorno 20 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.2.2.

Dal post originale:

The Asterisk Development Team has announced a release for the security issue
described in AST-2011-001.

Due to a failed merge, Asterisk 1.8.2.1 which should have included the security
fix did not. Asterisk 1.8.2.2 contains the the changes which should have been
included in Asterisk 1.8.2.1.

This releases is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2,
1.8.1.2, and 1.8.2.2 resolve an issue when forming an outgoing SIP request while
in pedantic mode, which can cause a stack buffer to be made to overflow if
supplied with carefully crafted caller ID information. The issue and resolution
are described in the AST-2011-001 security advisory.

For more information about the details of this vulnerability, please read the
security advisory AST-2011-001, which was released at the same time as this
announcement.

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-001 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-001.pdf


19Gen/110

Sicurezza: AST-2011-001 – Stack buffer overflow in SIP channel driver

logoasterisk

Ecco un estratto del documento sulla sicurezza AST-2011-001:

Description When forming an outgoing SIP request while in pedantic mode, a stack buffer can
be made to overflow if supplied with carefully crafted caller ID information. This
vulnerability also affects the URIENCODE dialplan function and in some versions
of asterisk, the AGI dialplan application as well. The ast_uri_encode function does
not properly respect the size of its output buffer and can write past the end of it
when encoding URIs.
Resolution The size of the output buffer passed to the ast_uri_encode function is now
properly respected.
In asterisk versions not containing the fix for this issue, limiting strings originating
from remote sources that will be URI encoded to a length of 40 characters will
protect against this vulnerability.
exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)
The CALLERID(num) and CALLERID(name) channel values, and any strings passed
to the URIENCODE dialplan function should be limited in this manner.

Ast-2011-001

5Lug/100

Configurazione iptables (integra il post fail2ban)

www.asterweb.org

www.asterweb.org

A seguito di alcune richieste pervenuteci, ad integrazione del post fail2ban, abbiamo realizzato un tutorial per avere una configurazione iptables funzionante ed immediatamente utilizzabile. Questo il link del tutorial

Ovviamente per chi volesse meglio comprendere il funzionamento di iptables, si rimanda ad un più approfondito studio.

Saluti

Asterweb

29Giu/100

Elastix nel suo blog (finalmente) consiglia fail2ban

Elastix

Elastix

Piano piano, ci sono arrivati anche loro.

Con un post del 26 giugno, infatti, rimandano ad un altro post (fatto da altri) dove viene spiegato come installare e configurare fail2ban per proteggere il proprio pbx.

Domandona: perché non lo mettono di default su Elastix, come tra l'altro fa da sempre pbxinaflash ?.

Detto ciò, vi rimando al tutorial che avevo fatto a suo tempo e che spiega come installare e configurare file2ban.

A proposito, per chi non lo sapesse, fail2ban si preoccupa di controllare i file di log generati dai vari programmi (ssh, asterisk, etc) e se verifica tentativi di accesso (ad esempio per SSH) o di registrazione di client SIP non andati a buon fine (per Asterisk) banna l'ip modificando iptables.

29Giu/100

SIPVicious ora si protegge da se stesso

www.asterweb.org

www.asterweb.org

La versione 0.2.6 del "famigerato" SIPVicious contiene il nuovo tool svcrash.py che è in grado di interrompere eventuali attacchi fatti con svwar o svcrack, mandandoli in crash (almeno quelli delle versioni precedenti).

Non ho ancora avuto modo di testarne pienamente il funzionamento.  Una volta testato farò un altro post.

Alla prossima.

14Giu/100

Sicurezza Asterisk: “ma allora sei proprio un pirla …”

logoasterisk

Scusate il titolo, ma quando ci vuole ci vuole !

Sto parlando di sicurezza per Asterisk ed in specifico del classico caso in cui attaccano il PBX, si registrano e fanno qualche migliaio di € di telefonate a scrocco !!!

Ritornando al titolo del post, se la cosa accade ad un utente che si è fatto da se il centralino e che non segue abitualmente l'evolversi del "mondo asterisk", la cosa può ancora essere comprensibile (fino ad un certo punto, ovviamente, perché l'azienda non sarà particolarmente contenta se una cosa del genere accade); ma se la cosa accade a un rivenditore, a uno che lo fa di mestiere, allora non ci sono giustificazioni.

L'argomento è infatti ampiamente trattato ed è di grande attualità (accade tutti i giorni che qualche pbx venga violato), per cui non organizzarsi in tal senso è un grave danno. Un grave danno per tutti:

  • per il Cliente che subisce il danno economico diretto (ovviamente)
  • per il rivenditore, che fa una gran brutta figura (eufemismo)
  • per tutti coloro che operano nel settore e che giornalmente si impegnano in maniera serie e professionale, che si ritrovano a sentirsi dire dai potenziali clienti: "... ma so che asterisk non è sicuro ..."

Detto ciò, è evidente che parlando di "sicurezza informatica" le problematiche sono tantissime e che non si "pretende" che tutti siano esperti in sicurezza, ma è altresì indispensabile che chi fa di Asterisk "il suo mestiere" lo faccia con consapevolezza, adottando quantomeno i criteri minimi di sicurezza.