IAX2 security issue

jammerz

Joined
Sep 7, 2009
Messages
75
Likes
0
Points
0
#1
I saw in another post a high alert on a significant IAX2 security issue that looks to significant but I did not see included here though in developers mail list. Thanks Fernando.

Here is the new asterisk vulnerability detected today
please upgrade all
rpms

Asterisk Development Team has announced the release of Asterisk 1.2.35,
1.4.26.2, 1.6.0.15, and 1.6.1.6. These releases are available for immediate
download at http://downloads.asterisk.org/pub/telephony/asterisk/

These releases have been created in response to an IAX2 denial of service
vulnerability.

For more information about the details of this vulnerability, please read
the
security advisory AST-2009-006, which was released at the same time as this
announcement.

The announcement is available at
http://downloads.asterisk.org/pub/secur ... 09-006.pdf

Also, please see the PDF in doc/IAX2-security.pdf in your Asterisk source.

For a full list of changes in the current releases, please see the
ChangeLogs:
http://downloads.asterisk.org/pub/telep ... ngeLog-1.2.
35
http://downloads.asterisk.org/pub/telep ... g-1.4.26.2
http://downloads.asterisk.org/pub/telep ... g-1.6.0.15
http://downloads.asterisk.org/pub/telep ... og-1.6.1.6







Saludos Cordiales,



Ing. Fernando M. Villares Terán

Mat. CIE. 2-2517-7

intelix600.jpg

Ingeniería & Telecomunicaciones

<http://www.intelix.com.ar/> www.intelix.com.ar

Tel./Fax: 54-341-4489886 y Rotativas

Rosario
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#2
The important point is to notice that if you upgrade with 1.4.26.2 you will loose connectivity if the other side of the IAX2 connexion has not upgraded yet.

read the good overview of the changes at
http://svn.digium.com/svn/asterisk/branches/1.6.0/doc/IAX2-security.pdf

You will need to add requirecalltoken = auto in your iax trunk to keep a backward compatibility until everybody has upgraded.

Another solution is to disable the protection by adding in iax_custom.conf:
calltokenoptional = 0.0.0.0/0.0.0.0
maxcallnumbers = 16382

but that will defeat the purpose of the security fix.
 

jammerz

Joined
Sep 7, 2009
Messages
75
Likes
0
Points
0
#3
thanks patrick, I pulled down the pdf, good stuff.

jf
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,914
Messages
130,919
Members
17,590
Latest member
johneldc90
Top