IAX2 security issue

Discussion in 'General' started by jammerz, Sep 8, 2009.

  1. jammerz

    Joined:
    Sep 7, 2009
    Messages:
    75
    Likes Received:
    0
    I saw in another post a high alert on a significant IAX2 security issue that looks to significant but I did not see included here though in developers mail list. Thanks Fernando.

    Here is the new asterisk vulnerability detected today
    please upgrade all
    rpms

    Asterisk Development Team has announced the release of Asterisk 1.2.35,
    1.4.26.2, 1.6.0.15, and 1.6.1.6. These releases are available for immediate
    download at http://downloads.asterisk.org/pub/telephony/asterisk/

    These releases have been created in response to an IAX2 denial of service
    vulnerability.

    For more information about the details of this vulnerability, please read
    the
    security advisory AST-2009-006, which was released at the same time as this
    announcement.

    The announcement is available at
    http://downloads.asterisk.org/pub/secur ... 09-006.pdf

    Also, please see the PDF in doc/IAX2-security.pdf in your Asterisk source.

    For a full list of changes in the current releases, please see the
    ChangeLogs:
    http://downloads.asterisk.org/pub/telep ... ngeLog-1.2.
    35
    http://downloads.asterisk.org/pub/telep ... g-1.4.26.2
    http://downloads.asterisk.org/pub/telep ... g-1.6.0.15
    http://downloads.asterisk.org/pub/telep ... og-1.6.1.6







    Saludos Cordiales,



    Ing. Fernando M. Villares Terán

    Mat. CIE. 2-2517-7

    intelix600.jpg

    Ingeniería & Telecomunicaciones

    <http://www.intelix.com.ar/> www.intelix.com.ar

    Tel./Fax: 54-341-4489886 y Rotativas

    Rosario
     
  2. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    The important point is to notice that if you upgrade with 1.4.26.2 you will loose connectivity if the other side of the IAX2 connexion has not upgraded yet.

    read the good overview of the changes at
    http://svn.digium.com/svn/asterisk/branches/1.6.0/doc/IAX2-security.pdf

    You will need to add requirecalltoken = auto in your iax trunk to keep a backward compatibility until everybody has upgraded.

    Another solution is to disable the protection by adding in iax_custom.conf:
    calltokenoptional = 0.0.0.0/0.0.0.0
    maxcallnumbers = 16382

    but that will defeat the purpose of the security fix.
     
  3. jammerz

    Joined:
    Sep 7, 2009
    Messages:
    75
    Likes Received:
    0
    thanks patrick, I pulled down the pdf, good stuff.

    jf
     

Share This Page