Asterisk t.38 Security Alert

wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,206
Reaction score
5,229
A fairly serious bug in t.38 (aka Fax for Asterisk protocol) has been identified in all versions of Asterisk. We have released new PIAF-Gold, Silver, Bronze, and Purple payload files this morning which resolve the issue.

For details, see this Asterisk Security Release Announcement.
 
shane

shane

Member
Joined
Dec 19, 2008
Messages
77
Reaction score
1
Version 1.4.21.2 Updates

I have tried to follow the mantra of "If it's not broken don't fix it!"

With that in mind I am running 1.4.21.2 with the last SIP patch applied. Can anyone tell me if I can apply a patch for the t38 issue or do I need to work on upgrading the source? If I do need to update the source is there a painless way to do so?

As always thanks for the great site and all the help!
 
M

malcolmd

Guru
Joined
Aug 12, 2010
Messages
101
Reaction score
7
Howdy,

A couple of notes:

If T.38 is disabled in sip.conf, e.g. t38pt_udptl is set to "no," then you're not vulnerable.

You're also only vulnerable while authenticated calls are in progress. If your system is idling, no calls going on, then you're not vulnerable. That's not really any consolation though.

Cheers.
 
wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,206
Reaction score
5,229
The FreePBX translation follows.

If you don't use T.38 faxing, make certain that the following line is included in PEER Details for all of your trunks connected to the outside world:

t38pt_udptl=no
 
C

ChrisJ

New Member
Joined
Jan 22, 2008
Messages
16
Reaction score
0
if I am using digium's free fax module with sip trunks, am I using t.38? how do I determine if t.38 is used in a sip trunk?
 
M

malcolmd

Guru
Joined
Aug 12, 2010
Messages
101
Reaction score
7
Do you have t38pt_udptl set to something other than no? Then, T.38 is enabled and as soon as someone makes an authenticated call through your system, you're vulnerable.
 
centoasa

centoasa

Member
Joined
May 31, 2009
Messages
118
Reaction score
1
Sorry, where is chan_sip file?
In my sip.conf (or related files) I can't found T38 (or similar)
Please, explain me.
 
randy7376

randy7376

Defnyddiwr Gweithredol
Joined
Sep 29, 2010
Messages
865
Reaction score
144
centoasa,

Check in /etc/asterisk/sip_general_additional.conf

Set t38pt_udptl=no if you intend to disable. I believe this is the default if you're not using Fax for Asterisk.
 
centoasa

centoasa

Member
Joined
May 31, 2009
Messages
118
Reaction score
1
I use Hylafax (and iaxmodem) for fax: I must disable however the T38?
 
You must log in or register to reply here.

Members online

Total: 78 (members: 1, guests: 77)

Latest Posts

Forum statistics

Threads
25,825
Messages
167,856
Members
19,250
Latest member
mark-curtis
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Top