 A security vulnerability in Asterisk 1.6 really needs your machines to be updated to avoid:
Asterisk Project Security Advisory - AST-2009-007
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | ACL not respected on SIP INVITE |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Unauthorized calls allowed on prohibited networks |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote unauthorized session |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | October 18, 2009 |
|--------------------+---------------------------------------------------|
| Reported By | Thomas Athineou |
|--------------------+---------------------------------------------------|
| Posted On | October 26, 2009 |
|--------------------+---------------------------------------------------|
| Last Updated On | October 26, 2009 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Jeff Peeler |
|--------------------+---------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | A missing ACL check for handling SIP INVITEs allows a |
| | device to make calls on networks intended to be |
| | prohibited as defined by the "deny" and "permit" lines |
| | in sip.conf. The ACL check for handling SIP |
| | registrations was not affected. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Users should upgrade to a version listed in the |
| | "Corrected In" section below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | C.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| AsteriskNOW | 1.5 | Unaffected |
|-------------------------------+----------------+-----------------------|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Open Source Asterisk 1.6.1 | 1.6.1.8 |
+------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
| Patches |
|----------------------------------------------------------------------------|
| SVN URL |Version|
|--------------------------------------------------------------------+-------|
|http://downloads.digium.com/pub/security/AST-2009-007-1.6.1.diff.txt| 1.6.1 |
+----------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-007.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-007.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|------------------------+------------------+----------------------------|
| October 26, 2009 | Jeff Peeler | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2009-007
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Current Rating: 7/10 (1 votes) Similar Articles (Based on Title)New App In bugs.digium.com (not in CVS) - September 20, 2004
This app was put together so as to be able to deal with answering machines
when making outbound calls. The idea is that you probably don't want to
start playing your soundfile until the call has been fully answered by a
human, and there has been a given amount of silence.
Link: Not Your Father's PBX? - October 8, 2004
Integrating VoIP into the enterprise could mean the end of telecom business-as-usual.
astGUIclient users should not upgrade to Asterisk 1.0.5 - February 2, 2005
mattf has posted details to the Asterisk-Users list warning people about an incompatibility between the CallerID implementation in Asterisk version 1.0.5 and his astGUIclient software.
Voxilla: New FCC Chief Not So VoIP-Friendly - March 19, 2005
USA's new FCC Chief thinks that US VoIP providers should contribute to the Universal Service Fund (USF). This is crazy. This would mean that if I use a US-based VoIP service to call people in New Zealand (from New Zealand) I will effectively be paying for US PSTN services to be supplied to "sparsely populated rural areas, and to provide telephone service discounts to low-income consumers".
Version 2.0 is not out - April 3, 2005
In case you didn't notice, yesterday's post was an April fool's day joke.
Asterisk.com not owned by Digium - October 6, 2006
It seems nobody thought to register Asterisk.com
H.264 Not Patented - January 30, 2007
Matthew Rubenstein has posted details of a legal ruling making the video codec H.264 legal. This will have big implications for Asterisk integration.
New feature in app_queue: Give members a penalty time for not answering - February 1, 2010
Hakon Nessjoen has posted detail of a patch he has written to add a new option to queues.conf.
New Video Sip Phone Released - September 15, 2004
XTEN has released a new video sip phone similar to X-Lite/Pro
NewsForge: Open source helps power SIP phone popularity (talks about Asterisk) - October 1, 2004
An article forwarded by Toby Mills which talks about Digium and Open Source
VOIP-Info: SIP Config Generator Released - October 4, 2004
Syed Ali Hasnain has release a SIP config generator.
Original Content (C) 2004-2010
Matt Riddell
Icons by: FastIcon.com
|
Sound card Line-In as MOH source
May 16, 2005 Average Vote: 10
Niksa Baldun has posted a script (line of code) to allow you to select the line in of your sound card as a music on hold source.
39 Free Softphones
August 14, 2009 Average Vote: 9.9
I decided to do another round up article, this time focusing on the 39 best free softphones.
Asterisk IPv6 update
February 1, 2010 Average Vote: 9.9
Olle has posted an update on IPV6 in Asterisk and a link to a blog post of his.
Interview with Mark Spencer
November 26, 2004 Average Vote: 9.8
We have managed to get an interview with Mark Spencer AKA Markster. Mark Spencer is the creator of Asterisk and by far the most active developer.
Monitoring Asterisk with Munin
January 7, 2010 Average Vote: 9.8
I had a few requests for these munin plugins after some discussion on one of the Asterisk lists and thought people might like them.
Unit Test Framework Now Available
January 5, 2010 Average Vote: 9.6
David Vossel has posted details of the new unit test framework in Asterisk - this will likely lead to some pretty decent advances in stability.
Wishlist for 1.8 - new media negotiation
February 8, 2010 Average Vote: 9.5
Olle has posted a note explaining his with for codec negotiation fixup.
Asterisk-Addons 1.6.0.2 Now Available
May 22, 2009 Average Vote: 9.5
The Asterisk Development Team is pleased to announce the release of Asterisk-Addons 1.6.0.2.
Interview with John Todd
August 22, 2009 Average Vote: 9.4
We have just completed an interview with John Todd - the Asterisk Open Source Community Director.
New feature for AMI Redirect command
September 22, 2009 Average Vote: 9.3
Hakon Nessjoen has posted an email asking for testing of a patch for redirecting channels in different directions.
Asterisk in a Fortune 500 company
January 18, 2010 Average Vote: 9.3
John Todd has posted an interesting link about a speech that will take place in which Jeremy Wadhams from Yahoo will discuss an Asterisk implementation in a Fortune 500 company.
New feature: Asterisk Manager Interface commands for DeviceState
February 1, 2010 Average Vote: 9.3
Hakon Nessjoen has another path - this one allows getting and setting device state via the Asterisk Manager interface.
State of FAX (primarily T.38) in Asterisk trunk (planning for 1.8 release)
December 4, 2009 Average Vote: 9.3
Kevin Fleming has written up a description of where fax is at in Asterisk.
Billing systems and Daily Grind
January 8, 2010 Average Vote: 9.3
Most of the articles I write on the Daily Asterisk News are about releases of software etc, but I thought I would give you an update on what I am working on day to day.
Amazing Asterisk Sign
August 18, 2009 Average Vote: 9.3
Leif Madsen posted a link to a cool photo of someone hijacking a sign for Asterisk.
Wishlist for 1.8 - new media negotiation
February 8, 2010
Olle has posted a note explaining his with for codec negotiation fixup.
Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 Released
February 4, 2010
The Asterisk Development Team has announced security releases for Asterisk.
Simplified Voting
February 1, 2010
Hi all, I was going through the stats for the Daily Asterisk News and noted that the star rating system I was using was taking 180KB to download.
MixMonitor Mute
February 1, 2010
Julian Lyndon-Smith has posted details of a patch he has written to temporarily mute MixMonitor recordings.
Asterisk IPv6 update
February 1, 2010
Olle has posted an update on IPV6 in Asterisk and a link to a blog post of his.
New feature: Asterisk Manager Interface commands for DeviceState
February 1, 2010
Hakon Nessjoen has another path - this one allows getting and setting device state via the Asterisk Manager interface.
New feature in app_queue: Give members a penalty time for not answering
February 1, 2010
Hakon Nessjoen has posted detail of a patch he has written to add a new option to queues.conf.
Asterisk with Apple iPad
January 28, 2010
Apple has release the iPad today - their latest product - a tablet computer with a multi touch surface. It strikes me that this could potentially be used for a fantastic cheap receptionists console.
Adventures in RTCP - a short report
January 28, 2010
Olle has posted a writeup on his RTCP work - still could do with more testers.
Asterisk GSoC 2010
January 28, 2010
Russell has posted details of the Google Summer of Code program which will be running again this year. |
