Asterisk SIP Stack Overflow

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Be advised that a new SIP vulnerability has been identified for systems that enable SIP access from untrusted sources. This vulnerability exists in all releases of Asterisk below the following versions:

1.4.38.1
1.6.2.15.1
1.8.2.1


Patches for earlier versions are included below. You can read the announcement here.

Special thanks to Malcolm Davenport for the heads up.


Description
When forming an outgoing SIP request while in pedantic mode, a stack buffer can be made to overflow if supplied with carefully crafted caller ID information. This vulnerability also affects the URIENCODE dialplan function and in some versions of asterisk, the AGI dialplan application as well. The ast_uri_encode function does not properly respect the size of its output buffer and can write past the end of it when encoding URIs.


Resolution
The size of the output buffer passed to the ast_uri_encode function is now properly respected.


In asterisk versions not containing the fix for this issue, limiting strings originating from remote sources that will be URI encoded to a length of 40 characters will protect against this vulnerability.


exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)



The CALLERID(num) and CALLERID(name) channel values, and any strings passed to the URIENCODE dialplan function should be limited in this manner.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Patch for Asterisk 1.4 Systems

The following patch only works on PIAF-Silver and DAHDI-based versions of Asterisk 1.4:

HTML:
#!/bin/bash
echo "Patching Asterisk 1.4.x for SIP vulnerability..."
cd /usr/src/asterisk
wget http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff
patch -p0 < AST-2011-001-1.4.diff
amportal stop
make clean
./configure
make
make install
amportal start
echo "Done."


For PIAF-Gold and Zaptel-based versions of Asterisk 1.4, use the following patch contributed by RentPBX:

HTML:
#!/bin/bash
echo "Patching PIAF-Gold for SIP vulnerability..."
cd /usr/src/asterisk
wget http://pbxinaflash.com/utils.patch.gold
patch -p0 < utils.patch.gold
amportal stop
make clean
./configure
make
make install
amportal start

echo "Done."
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Asterisk 1.8 SIP Vulnerability Patch

A major SIP security vulnerability was discovered in all versions of Asterisk today. You can read all about it here.

We have developed a script for Asterisk 1.8.x only which will quickly patch your system and eliminate the problem. Log into your server as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/sipfix
chmod +x sipfix
./sipfix


Please apply this patch immediately to protect your server!
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Asterisk 1.6.2 SIP Vulnerability Patch

Here is the script for patching existing PIAF-Bronze systems:

HTML:
#!/bin/bash
echo "Patching Asterisk 1.6.2.x for SIP vulnerability..."
cd /usr/src/asterisk
wget http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff
patch -p0 < AST-2011-001-1.6.2.diff
amportal stop
make clean
./configure
make
make install
amportal start
echo "Done."
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
New PIAF-Silver, Bronze and Purple Now Available

All new installs of PIAF-Silver, Bronze, and Purple now include Asterisk versions with the SIP vulnerability patch applied.

For those still using PIAF-Gold including new downloads, you will need to patch it yourself using the Asterisk 1.4 patch instructions above.
 

phoenixkv

New Member
Joined
Dec 4, 2010
Messages
2
Reaction score
0
Updated Breaks UI?

It appears that this update on a Purple machine breaks the web UI?

I've attached examples.
 

Attachments

  • piaf_ie.pdf
    79.6 KB · Views: 19
  • piaf_ff.pdf
    163.4 KB · Views: 15

The Deacon

Guru
Joined
Jan 29, 2008
Messages
296
Reaction score
14
Just ran the patch for Asterisk 1.4.x, PIAF-Gold, PIAF-Silver Systems and at the very end saw this:

Code:
WARNING WARNING WARNING

 Your Asterisk modules directory, located at
 /usr/lib/asterisk/modules
 contains modules that were not installed by this 
 version of Asterisk. Please ensure that these
 modules are compatible with this version before
 attempting to run Asterisk.

    app_addon_sql_mysql.so
    app_devstate.so
    app_flite.so
    app_nv_backgrounddetect.so
    app_nv_faxdetect.so
    app_pickup2.so
    app_rxfax.so
    app_saycountpl.so
    app_swift.so
    app_txfax.so
    cdr_addon_mysql.so
    chan_ooh323.so
    format_mp3.so
    func_devstate.so
    res_config_mysql.so

 WARNING WARNING WARNING


SETTING FILE PERMISSIONS
Permissions OK

STARTING ASTERISK
Asterisk Started

STARTING FOP SERVER
FOP Server Started
Done.

I'm assuming that this is nothing to be concerned about.
 

jdouglas50

New Member
Joined
Sep 3, 2009
Messages
3
Reaction score
1
1.4.xx Patch

This was a good install on my system 1.4.36



Be sure you download the patch for Asterisk 1.4. :wink5:

HTML:
#!/bin/bash
echo "Patching Asterisk 1.4.x for SIP vulnerability..."
cd /usr/src/asterisk
wget http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff
patch -p0 < AST-2011-001-1.4.diff
amportal stop
make clean
./configure
make
make install
amportal start
echo "Done."
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
guess I am finally gonna have to bit the bullet and update 1.4.x here at work, as the patch is for a version beyond the locked ver that uses zaptel.

Guess its time to get my feet wet with dhadi :(
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
the 1.4 patch does not work for the locked zaptel version....

Be sure you download the patch for Asterisk 1.4. :wink5:

HTML:
#!/bin/bash
echo "Patching Asterisk 1.4.x for SIP vulnerability..."
cd /usr/src/asterisk
wget http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff
patch -p0 < AST-2011-001-1.4.diff
amportal stop
make clean
./configure
make
make install
amportal start
echo "Done."
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
New PIAF-Gold Patch from RentPBX

Our special thanks to RentPBX.com for development of a patch that works on PIAF-Gold and other Zaptel editions (we think) of Asterisk 1.4:

HTML:
#!/bin/bash
echo "Patching PIAF-Gold for SIP vulnerability..."
cd /usr/src/asterisk
wget http://pbxinaflash.com/utils.patch.gold
patch -p0 < utils.patch.gold
amportal stop
make clean
./configure
make
make install
amportal start
echo "Done."
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
FreePBX Patch

This just in from Philippe Lindheimer at FreePBX:

I believe this should resolve the issue [in FreePBX]:

freepbx.org/trac/ticket/4749

It has been published to versions 2.5 and above of FreePBX. The fix does two things:

1. macro-user-callerid massages the CID, this macro is a sort of 'gateway' that is (or should) always be called prior to doing almost anything whether receiving a call or sending a call.
2. ext-trunk massages the CID, this is a context used to route inbound calls directly to a trunk, such as someone who is peeling off DIDs and sending them elsewhere off system.

If any of you find that we are missing something here, please file a bug in our tracker so I can promptly address it.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
PIAF-Gold, Silver, Bronze & Purple Announcement

As of 5 p.m. Eastern time today, ALL new PBX in a Flash installs now include Asterisk SIP stack buffer overflow protection. Coming soon to update-fixes.

Well, not quite. See below.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
New, New, New PIAF Updates

As of 5 p.m. Eastern time today, ALL new PBX in a Flash installs now include Asterisk SIP stack buffer overflow protection... even Asterisk 1.8. Also available by running update-programs and then update-fixes.

If you want more history, see this thread.
 
Last edited by a moderator:

tm1000

Schmoozecom INC/FreePBX
Joined
Dec 1, 2009
Messages
1,360
Reaction score
78
Is there any method to protect a PIAF 1.3 such as mine ?

The above shell scripts will work depending on what version of Asterisk you are running.

I just ran the 1.6 update on PIAF 1.3 and it worked great.

The other machines were all 1.7.7.x and it was as easy as update-source
 
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top