Asterisk Security Alert

[wardmundy]

Be aware that another Asterisk security alert has been posted which affects all installed versions of Asterisk. If you have SIP or IAX ports accessible on your server through a firewall, this may affect you and lead to unauthorized calls depending upon your dialplan. For details, visit the following link:

http://www.asterisk.org/node/49906

Recommendations: Either close inbound SIP and IAX access to your server or upgrade your currently installed version by running:

HTML Code:

update-scripts update-source update-fixes

Today's Nerd Vittles article on the Orgasmatron 5.1 introduces a PIAF build that is completely insulated from these sorts of dialplan attacks.

[jroper]

Hi

I'm not sure that it is sufficient to simply upgrade Asterisk, and expect you to be safe. The upgrade simply adds in some tools which will allow you to filter the dialplan, and I quote:-

Quote:

This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers.

The point is, a simple upgrade is insufficient to protect you., you must also look at any custom code you have created or employed and see if there is a vulnerability.

In respect of the rest of the system, the dial-plan is created by FreePBX, so we have to put our faith in the FreePBX team to keep us safe. Their view on this subject is described here:-

http://www.freepbx.org/forum/freepbx...-vulnerability.


My view, and it is my opinion, and as such should be inspected rigorously, is that there is not a danger with a stock standard install of Asterisk + FreePBX, such as PiaF.

However - I think there is the potential to execute this dialplan injection or just an ordinary forward via the ARI, by using the Followme function.

Typically, the login to the ARI is an extension number, followed by a 4? digit numeric code which is set on the voicemail settings, which clearly is less than secure.

If someone were to access the ARI, set up a divert, with any number in the world, then simply accessing that persons extension, either with their direct DID, or with a "Please enter the extension you wish to call" would forward the call on to the destination set in the ARI.

I'm going to pose a question on the above thread to see if the ARI is a potential method of getting a dialplan injected.

Meanwhile, even if not, the above security vulnerability is still an issue for anyone who is exposing the ARI to the outside world, so one should consider whether this is necessary. If so consider using longer voicemail numeric passwords.

Additionally, Tom, and Ward, you may like to consider placing the ARI directory underneath some apache security to keep people one step away from a login that typically uses a 3 digit username, and a 4 digit password.

Joe

[wardmundy]

On systems we build including all of the Orgasmatron builds, we NEVER use 4-digit voicemail passwords. It's like everything else. If your passwords aren't secure, your system isn't secure. Simple as that.

The other obvious solution is DON'T EXPOSE YOUR SYSTEM TO WEB ACCESS FROM THE INTERNET.

Finally, if you really need ARI for your employees, simply change the name of the directory to something really obscure, e.g. instead of /var/www/html/recordings, use something like /var/www/html/58237h44. When employees depart, change it again. Security through obscurity really does work in some cases. Better yet, implement a VPN!

[wardmundy]

Originally Posted by jroper

If someone were to access the ARI, set up a divert, with any number in the world, then simply accessing that persons extension, either with their direct DID, or with a "Please enter the extension you wish to call" would forward the call on to the destination set in the ARI.

This, of course, assumes that your dialplan and provider settings permit calls to any destination in the world... a very dangerous setup and one we would never recommend.

[jroper]

Some companies do have the need to make international calls, and cannot always predict what part of the world they will be calling next. Blocking all international calls is a luxury that many would find highly restrictive.

I mentioned the possibility of protecting the ARI with some Apache directory security, which would be trivial to do, and would have the effect of putting user-numbers and pass-numbers one level deep, and would not cause any real user issues.

You did not mention whether you were prepared to look at putting an extra layer of security on the ARI, in your responses. Given the trouble we gone to to protect the FOP, with IP tables, and Fail2ban, PiaF is one of the few distributions I feel comfortable to put A2Billing on, exposed directly to the internet. To say "Don't put it on the internet", we may as well not bothered with the above.

In case you do want to add this layer of security, and I would recommend you give it serious consideration, here's a two minute scripting job to add to your next update-fixes, after you have tested, which I haven't, and deemed it acceptable.

Code:

#!/bin/sh echo ' #!/bin/sh echo ------------------------------------------- echo Set password for the ARI echo User: ari echo ------------------------------------------- echo "" htpasswd /usr/local/apache/passwd/wwwpasswd ari ' > /usr/local/sbin/passwd-ari chmod +x /usr/local/sbin/passwd-ari echo ' #Password proctect /var/www/html/recordings <Directory /var/www/html/recordings> AuthType Basic AuthName "Restricted users Area" AuthUserFile /usr/local/apache/passwd/wwwpasswd Require user ari </Directory> ' >> /etc/pbx/httpdconf/pbx.conf service httpd restart echo "now type passwd-ari at the command prompt, and set the ARI password"

Joe

[dswartz]

Originally Posted by wardmundy

Be aware that another Asterisk security alert has been posted which affects all installed versions of Asterisk. If you have SIP or IAX ports accessible on your server through a firewall, this may affect you and lead to unauthorized calls depending upon your dialplan. For details, visit the following link: http://www.asterisk.org/node/49906 Recommendations: Either close inbound SIP and IAX access to your server or upgrade your currently installed version by running: HTML Code: update-scripts update-source update-fixes Today's Nerd Vittles article on the Orgasmatron 5.1 introduces a PIAF build that is completely insulated from these sorts of dialplan attacks.

I am running 1.4.21.2 and have been for awhile now. Per the above quote, I did update-source, but nothing changed. ???

[wardmundy]

The code downloads the current releases, but Digium doesn't always get the current releases posted in a timely manner. Try again in a day or two. Even though this bulletin was dated a week ago, it didn't get pushed out until yesterday as I understand it.

[wardmundy]

An addition has been made to Orgasmo 5.1 to require an existing valid-user account to log in to both ARI and web reminders. Of course, as distributed, Orgasmo 5.1 is designed to sit behind a firewall with NO public web access to the server. But there are always experimenters.

If you wish to separate out the passwords, you can always add more user accounts to /usr/local/apache/passwd/wwwpasswd. My preference is to add new files in /etc/pbx/httpdconf for each app requiring password authentication. So there's a new ari.conf and reminders.conf. Just makes it easier to track down issues down the road.

For those that already have installed Orgasmo 5.1, here's the code to patch your system or any other PBX in a Flash system for that matter:

Quote:

# patches for reminders and ARI security echo "#Password protect ARI interface" > /etc/pbx/httpdconf/ari.conf echo "<Directory /var/www/html/recordings>" >> /etc/pbx/httpdconf/ari.conf echo "AuthType Basic" >> /etc/pbx/httpdconf/ari.conf echo 'AuthName "Restricted Area"' >> /etc/pbx/httpdconf/ari.conf echo "AuthUserFile /usr/local/apache/passwd/wwwpasswd" >> /etc/pbx/httpdconf/ari.conf echo "Require valid-user" >> /etc/pbx/httpdconf/ari.conf echo "</Directory>" >> /etc/pbx/httpdconf/ari.conf echo "#Password protect web reminders" > /etc/pbx/httpdconf/reminders.conf echo "<Directory /var/www/html/reminders>" >> /etc/pbx/httpdconf/reminders.conf echo "AuthType Basic" >> /etc/pbx/httpdconf/reminders.conf echo 'AuthName "Restricted Area"' >> /etc/pbx/httpdconf/reminders.conf echo "AuthUserFile /usr/local/apache/passwd/wwwpasswd" >> /etc/pbx/httpdconf/reminders.conf echo "Require valid-user" >> /etc/pbx/httpdconf/reminders.conf echo "</Directory>" >> /etc/pbx/httpdconf/reminders.conf apachectl restart

Syntax for adding additional user: htpasswd /usr/local/apache/passwd/wwwpasswd username password

[jribbing13]

Okay so I ran all the update commands. What version should it upgrade to?
I show:

1.4.21.2 Asterisk Version...

Thanks,

-Jeff

[Alex728]

I'm wary to upgrade source at present because of potential issues with DAHDI and British telephone lines - so have shut off all the firewall pinholes in every router.

Thankfully the linked PABX's all still work, but I'm curious as to how this occurs? I've got the two ones with static IP's set as peer and user, and the dynamic IP box (my home one) set to register to the IAX2 trunks on the other two.

so now there is nothing exposed to the net via the firewall on any router other than SSH (on non standard ports).

I have set "qualify=yes" everywhere. Is this all I need to keep the routes open, but hopefully keep away the bad stuff?