 The Asterisk Development Team has announced security releases for the following versions of Asterisk:
* 1.2.40
* 1.4.29.1
* 1.6.0.24
* 1.6.1.16
* 1.6.2.4
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/
The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 include documention describing a possible dialplan string injection with common usage of the ${EXTEN} (and other expansion variables). The issue and resolution are described in the AST-2010-002 security advisory.
If you have a channel technology which can accept characters other than numbers and letters (such as SIP) it may be possible to craft an INVITE which sends data such as 300&Zap/g1/4165551212 which would create an additional outgoing channel leg that was not originally intended by the dialplan programmer.
Please note that this is not limited to an specific protocol or the Dial() application.
The expansion of variables into programmatically-interpreted strings is a common behavior in many script or script-like languages, Asterisk included. The ability for a variable to directly replace components of a command is a feature, not a bug - that is the entire point of string expansion.
However, it is often the case due to expediency or design misunderstanding that a developer will not examine and filter string data from external sources before passing it into potentially harmful areas of their dialplan.
With the flexibility of the design of Asterisk come these risks if the dialplan designer is not suitably cautious as to how foreign data is allowed to enter the system unchecked.
This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers.
For more information about the details of this vulnerability, please read the security advisory AST-2010-002, which was released at the same time as this announcement.
Asterisk 1.2.40 also contains a backported dialplan function called FILTER() in order to allow the filtering of strings as described in the best practices document.
It should also be noted that the 1.6.x series of Asterisk had release candidates available as versions 1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2. These will either be released as 1.6.0.25, 1.6.1.17, and 1.6.2.5, or if another round of RC changes is necessary, those versions numbers will be used with -rc1 appended.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29.1
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.24
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4
Security advisory AST-2010-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2010-002.pdf
The README-SERIOUSLY.bestpractices.txt document is available in the top-level directory of your Asterisk sources, or available in all Asterisk branches from 1.2 and up.
http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
Thank you for your continued support of Asterisk!
Current Rating: 7.33/10 (3 votes) Similar Articles (Based on Title)DUNDi is available for use with v1-0 - October 23, 2004
BKW has released a .tar.gz file so that you can use DUNDi with Asterisk 1.0
Asterisk-Users: Asterisk 1.0.2 rpms now available for FC1 - October 27, 2004
Andrew McRory has posted details of the rpms for Asterisk 1.0.2
Asterisk-Users: RPMS for Fedora Core 2 now available - November 9, 2004
Andrew McRory has posted information on the RPMs of Asterisk for Fedora Core 2.
asterisk-oh323: New versions available - December 22, 2004
Michael Manousos has announced new versions of chan_oh323 from inaccessnetworks.
New 4-Port BRI card Sirrix.PCI4S0 with Asterisk support available - January 9, 2005
Oskar Senft has posted details of the 4-Port BRI card Sirrix.PCI4S0 with Asterisk support to the Asterisk-biz mailing list.
*-Dev: New jitterbuffer and Packet Loss Concealment preview/prototype patch available in tracker. - January 21, 2005
Steve Kann has posted details of the latest patch added to the bugtracker.
Linux Bridge + QoS Shaper HOWTO available - January 28, 2005
Ron Senykoff has posted details of a HOWTO he has written.
DIAX version 0.9.10a available for download - February 9, 2005
Dan has posted details of the latest version of his IAX softphone - DIAX - to the Asterisk-Users mailing list.
DIAX 0.9.10f available for download - March 12, 2005
Dan has posted details of the release of the latest version of the DIAX softphone.
UNISTIM channel driver available - March 12, 2005
Andres has posted details of a release from Cedric Hans of a UNISTIM channel driver for Asterisk.
Iaxclient-devel: Kiax 0.8.3 available - March 18, 2005
Emil Stoyanov has posted details of the latest release of Kiax.
Original Content (C) 2004-2010
Matt Riddell
Icons by: FastIcon.com
|
Back to life
July 21, 2010 Average Vote: 10
Hey all - I am back online after some pretty big projects which have taken all my time. Will be updating the Asterisk news over the next few days.
Nerd Vittles: Building a Bluetooth Proximity Detection System with Asterisk
December 12, 2005 Average Vote: 10
The Nerd Vittles site has an article on proximity detection using Asterisk and a TomTom GPS
Automated Testing Update
July 30, 2010 Average Vote: 10
Russell Bryant has posted details of a new mailing list for automated testing of Asterisk and some information on the progress that has been made. There is no way to say how important I think this work is. It really makes a huge difference to Asterisk and the ability to use it in an enterprise environment. Really great work.
VoIP-Info: FFasterisk Video file converter
August 25, 2006 Average Vote: 10
The wiki has a link to a new piece of software for converting video to the format required for Asterisk.
Code Review: SRTP support for Asterisk
March 12, 2009 Average Vote: 10
Terry Wilson has moved his SRTP branch onto the Digium review board.
HumBug - Pre BETA Launch Registration
July 27, 2010 Average Vote: 10
Nir Simionovich has posted details of the beta of the new call analytics service.
Interview with BKW_
December 7, 2004 Average Vote: 10
We've finally completed our interview with BKW. Hope you like! :-)
SlashDot: GSM and Asterisk Integration
August 21, 2005 Average Vote: 10
There is a post up on SlashDot which talks about using cellphones with Asterisk.
Interview with Mark Spencer
November 26, 2004 Average Vote: 9.9
We have managed to get an interview with Mark Spencer AKA Markster. Mark Spencer is the creator of Asterisk and by far the most active developer.
Asterisk and Kamailio realtime integration tutorial
May 24, 2010 Average Vote: 9.9
Daniel-Constantin Mierla has posted a link to a tutorial on integrating Asterisk and Kamailio using realtime.
Asterisk IPv6 update
February 1, 2010 Average Vote: 9.8
Olle has posted an update on IPV6 in Asterisk and a link to a blog post of his.
Proposal for T.38 transparent gateway design in Asterisk
April 29, 2010 Average Vote: 9.8
Kevin Fleming has posted a proposed design for a transparent T.38 gateway for Asterisk:
Asterisk Monitoring with iPhone and iPod touch
February 12, 2010 Average Vote: 9.7
For the past couple of weeks I have been working on an app that allows you to monitor and restart Asterisk servers.
Monitoring Asterisk with Munin
January 7, 2010 Average Vote: 9.7
I had a few requests for these munin plugins after some discussion on one of the Asterisk lists and thought people might like them.
New Zealand Asterisk Voices
March 2, 2006 Average Vote: 9.7
Chris Hodgetts has posted details of recordings of Asterisk Sounds with a New Zealand accent.
Automated Testing Update
July 30, 2010
Russell Bryant has posted details of a new mailing list for automated testing of Asterisk and some information on the progress that has been made. There is no way to say how important I think this work is. It really makes a huge difference to Asterisk and the ability to use it in an enterprise environment. Really great work.
Asterisk 1.8.0-beta2 Now Available
July 28, 2010
The Asterisk Development Team has announced the release of Asterisk 1.8.0-beta2.
HumBug - Pre BETA Launch Registration
July 27, 2010
Nir Simionovich has posted details of the beta of the new call analytics service.
Branch Merging Changes
July 26, 2010
Russell Bryant has posted details of some changes to the way developers need to commit code to Asterisk because of the newly released 1.8 branch.
Asterisk 1.8.0-beta1 is Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.8.0-beta1. This release marks the beginning of the testing process for the eventual release of Asterisk 1.8.0.
Asterisk 1.6.2.10 Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.6.2.10.
Asterisk 1.4.34 Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.4.34.
AppleRaisin - AstDB over realtime
July 23, 2010
Olle has posted a note about his awesome AppleRaisin branch which provides the ability to store AstDB in realtime. This would make for a much simpler failover and clustering situation.
QueueMetrics 1.6.1 released
July 22, 2010
Lenz has posted a note to inform us that QueueMetrics version 1.6.1 has been released. This release offers a large number of bug fixes, misc improvements and new developements including hotdesking.
Asterisk 1.8 Branch Creation
July 22, 2010
Russell Bryant has posted a note to inform us of the creation of the 1.8 branch of Asterisk. |
