ALERT Asterisk Security Patches

Some serious Denial of Service issues have been found in all versions of Asterisk 1.8, 10, and 11. If your system is not sitting behind a hardware-based firewall with no Internet port exposure, your server is extremely vulnerable. Special thanks to Tony at Schmooze for the heads up.

For details, see these threads:

seclists.org/fulldisclosure/2013/Jan/11
seclists.org/fulldisclosure/2013/Jan/10

To secure your server, you can either upgrade your server to the latest release using the example template or apply patches. Patches to bring Asterisk 11.1.0 current are attached. Gunzip the files (in order from low to high) and run them. Your Asterisk server will be off-line while the patches are applied. For Asterisk 1.8 and 10, edit the scripts and plug in the appropriate patch files. The "combo" patch brings Asterisk 11.1.1 and Incredible PBX 11.1.0 current to Asterisk 11.1.2 in one pass. Upgrade scripts are also provided for earlier releases of Asterisk 1.8 and 11 to bring them to a "safe" release. We will post additional scripts as time permits.

Incredible PBX for Raspberry Pi Upgrade Script is available here.

Hi All

Just updating the default installs to the versions of asterisk that do not suffer from these problems will let you all know when it is available.

Tom

New PIAF 20631 installs from existing ISOs should be "safe" now... at least for a week or two. Standard warning applies:

Always run PBX in a Flash behind a hardware-based firewall with no Internet port exposure to your server.*

* Yes, there are exceptions. And, no, we can't vouch for whether they are safe.

Just a heads up on our security roadmap to address the Asterisk security vulnerabilities reported above. New ISO downloads already have been patched. Incredible PBX 11 for Virtual Box has been patched and should be available on SourceForge by early tomorrow. Tom is working through an update-fixes release which will address existing deployments as soon as possible. Raspberry Pi implementations will be addressed shortly.

You, of course, can follow the instructions in this example to update your server immediately.

REMEMBER: If your server is sitting behind a hardware-based firewall with no port exposure, you're safe... at least from the reported vulnerabilities.

The safe versions are outlined below. Source is available here for 1.8, 10, and 11 and here for 1.8-certified. I'm still not 100% certain the Asterisk 1.8.11-cert10 code is safe. Still checking. For the time being, put any PIAF-Brown deployments behind a secure, hardware-based firewall.

PBX in a Flash Purple(Digium Provided Long Term Support)
Asterisk 1.8.19.1 *NEW*
Libpri 1.4.12
Dahdi 2.6.1+2.6.1

PBX in a Flash Red (NO Digium Provided Long Term Support)
Asterisk 10.11.1
Libpri 1.4.12
Dahdi 2.6.1+2.6.1

WARNING: Asterisk 10 versions above 10.0.0 reportedly break Google Voice and GTalk.

PBX in a Flash Brown

(Digium Provided Support with purchase of SLA contract $30K+)
Asterisk 1.8.11-cert10
Libpri 1.4.12
Dahdi 2.6.1+2.6.1

PBX in a Flash Green
Asterisk 11.1.2
Libpri 1.4.12
Dahdi 2.6.1+2.6.1

Is the update script you linked safe to use to update asterisk to 1.8.19.1?

I recommend you use update-source instead. It is more current than what was referenced.

Tom

Incredible PBX 11.1.2 for VirtualBox with Asterisk 11.1.2 is now available on SourceForge. The Nerd Vittles Quick Start Guide has been updated accordingly.

Howdy! (and many, many thanks for this work!) I decided to give this one a spin, and stalled at the starting gates. I downloaded the 2 parts from SF and spliced them together but my SHA1 differs from what's in the README. I'm getting 71cf4593451344790a1e5a77f1b34804b4206d2a whereas the README says it ought to be 86ccd31d64d3b51e10a8e7429548be6ce15ecd9b. I tried scrapping the files and re-downloading twice, with the same result.

On top of that, when I tried to import the OVF, Vbox errors out with the following:


Has anyone else been successful?

Incredible PBX 3.7 for Raspberry Pi is now available on SourceForge. It includes Asterisk 1.8.19.1 which addresses the Asterisk Denial of Service bug identified in previous Asterisk 1.8 releases. Patch for prior Raspberry Pi releases coming soon.

Thanks for the heads up. The INCREDIBLEPBX11aa file was corrupted somehow. INCREDIBLEPBX11ab is fine. I'm uploading it again now. Should be available at about 11:00 pm Eastern time tonight. Sorry.

Still having file corruption problems with the INCREDIBLEPBX11aa upload. I'll post something when it's complete. Before downloading, click on the i icon to the right of the file name on SF. This will tell you the SHA1 checksum. For this individual file, it should be 07c73cdedffc03504ce5373ab7d162b5adfd1353. If not, don't waste your time. Here's what it looks like for INCREDIBLEPBX11ab (which is correct):

Fixed as of 6:15 a.m. Eastern time. Our apologies.

So I rolled a little PBX for a friend about a week ago (PIAF-Green) and at the time it built with Asterisk 11.1.0.

Is the best way to patch him up to 11.1.2 to use the script template or should I be using those binary patches linked above? Or update-source ? Sorry for the confusion.

If you're sure he's on 11.1.0, then the combo patch above should work fine. I've tried it on several systems with no problems. Any further back than 11.1.0 and you're in untested territory applying earlier patches. Tom reports that sometimes they work, and sometimes not.