Important security alert: update your dialplans now

Over the last few days we have been discussing a vulnerability in Asterisk dialplans on the Asterisk Developer List. Olle has now posted a writeup of the problem and solution on his blog:

Friends,

Last week, Hans Petter Selansky alerted us of a potential security issue in all releases of Asterisk. In fact, it doesn't involve the code, but the most common way to construct dialplans. If you have something like this in your Asterisk, you need to update your dialplans:

[incoming-from-voip]
exten => _X., 1, dial(SIP/${EXTEN})

Many VoIP protocols support a large character set, that may cause harm in your dialplan
====================================================================

I've written an article about this on my blog, where my summary says:

"Because of a conflict between allowed characters in the called number or name in many VoIP protocols and the way Asterisk handles channel variables, there is a security risk hidden in many dialplans based on examples provided over the years by the Asterisk developers, trainers and community. The primary risk is that by using an ampersand in the dialstring, a user can access protected resources or misuse the pbx services. However, this character is not the only problem, as other characters may cause unexpected or problematic behavior."

There will be an Asterisk Security Advisory document coming out from Digium soon, as well as updated documentation and examples within the Asterisk source code tree. I strongly advise everyone to follow these and stay updated. (I have no access to the ASA system myself and can't generate an official security alert).

For more information about this issue and some code examples of what I personally currently think are good ways to prevent misuse of your services, please read my blog article at

http://www.voip-forum.com/?p=241&preview=true

Please help us to distribute this message!
=================================
We need help from all involved in the Asterisk eco-system. This is not something that the development team can solve by itself. We can add documents, READMEs and fix our own examples. But that won’t fix it. We need everyone involved to pump this information out in all the veins that runs through the Asterisk eco-system. In all languages needed, we shall say: "Audit your dialplans, fix this issue. And do it now."

Everyone that runs a web site with dialplan examples - audit your examples, fix them. Everyone that has published books on Asterisk - publish errata on your web site. Please help us - and do it now.

If you add web links, please add links both to http://www.asterisk.org where the official documents will soon be published, as well as to my blog (if you like, of course). But don't just refer to my blog entry alone.

I have updated my own servers and will now start auditing my customers' servers. After that I will have to update all my training materials so I don't repeat the bad examples. There's no magic bullet, no wonderful code patch, that can fix this, just hard work with all dialplans that accept calls over VoIP channels.

Let us all work together to fix this!

With Asterisk greetings!

/Olle

PS. If someone can update the entries on Queue() and Dial() in voip-info.org, that would be considered a good thing (TM).

Current Rating: 8.63/10 (8 votes)

Comments (Click to post)

Similar Articles (Based on Title)

*-Dev: RED ALERT: Bug marshals need your help. NOW. - January 5, 2006
Olle has posted a request for help clearing the overflowing bugtracker. Please lend a hand if you can.

*-Dev: radp - create your dialplans in Ruby - October 24, 2005
Hans Fugal has posted details of a ruby dialplan parser.

Experiment: Effect on Speed of Asterisk Priority Engine by Large Dialplans - November 6, 2006
murf has posted details of some comparissons he has made.

Gecko: Spanish webinar on creating dialplans - September 16, 2009
The wiki has a link to a free webinar in Spanish on programming IVRs over at Gecko.

New Versions of Asterisk and Zaptel Released - important update - March 4, 2007
Asterisk 1.4.1 has been released as well as Asterisk 1.2.16 and Zaptel 1.2.15. These include bugfixes as well as a solution to the recently discovered security hole. This security hole is a major one and as such, machines should be updated as soon as possible. I will post further information about it in around a week, but you should all upgrade your servers before then. TrixBox, packaged Asterisk and OpenPBX are affected too

Update on FBI Issue - Important - December 9, 2008
John Todd has sent a detailed note to the Asterisk developers list regarding the recent security release. Please post this wherever you can.

SIPit 26 - Why SIP testing is important to Asterisk and to you - March 9, 2010
Olle has posted a blog entry on SIPit and Asterisk.

New IP phone snom 190 addresses security in VoIP - September 19, 2004
With the snom 190, the Berlin company addresses recent concerns about security of VoIP calls and adds productivity features for the business user.

New Security List - January 24, 2005
Steve Szmidt has posted details on the Asterisk-Security list.

VoIP-forum.com: NIST report urges caution with VoIP security - January 28, 2005
Olle's site has posted a link to an article on VoIP security.

Cisco tries to degrade the internet by attempting the patenting of security holes - July 9, 2005
There was a security hole discovered recently in the MTU Discovery process of ICMP packets.

Voip-News-Net: VoIP Security Roundup - January 27, 2006
There is an article on VoIP News Net discussing a few of the latest VoIP security threads.

*-Announce: Asterisk 1.2.9 and Asterisk 1.0.11 Released - Security Fix - June 6, 2006
The Asterisk Development Team today released Asterisk 1.2.9 and Asterisk 1.0.11 to address a security vulnerability in the IAX2 channel driver (chan_iax2).

The Daily Asterisk News

Similar Articles (Based on Title)