The Asterisk team of Digium announced new versions of Asterisk in reference to a potential security issue. The release highlights best practices and hopes to raise awareness of some potential security issues and injection statments. The announcement follows:
The Asterisk Development Team has announced security releases for the following
versions of Asterisk:* 1.2.40
* 1.4.29.1
* 1.6.0.24
* 1.6.1.16
* 1.6.2.4These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4
include documention describing a possible dialplan string injection with common
usage of the ${EXTEN} (and other expansion variables). The issue and resolution
are described in the AST-2010-002 security advisory.If you have a channel technology which can accept characters other than numbers
and letters (such as SIP) it may be possible to craft an INVITE which sends data
such as 300&Zap/g1/4165551212 which would create an additional outgoing channel
leg that was not originally intended by the dialplan programmer.Please note that this is not limited to an specific protocol or the Dial()
application.The expansion of variables into programmatically-interpreted strings is a common
behavior in many script or script-like languages, Asterisk included. The ability
for a variable to directly replace components of a command is a feature, not a
bug – that is the entire point of string expansion.However, it is often the case due to expediency or design misunderstanding that
a developer will not examine and filter string data from external sources before
passing it into potentially harmful areas of their dialplan.With the flexibility of the design of Asterisk come these risks if the dialplan
designer is not suitably cautious as to how foreign data is allowed to enter the
system unchecked.This security release is intended to raise awareness of how it is possible to
insert malicious strings into dialplans, and to advise developers to read the
best practices documents so that they may easily avoid these dangers.For more information about the details of this vulnerability, please read the
security advisory AST-2010-002, which was released at the same time as this
announcement.Asterisk 1.2.40 also contains a backported dialplan function called FILTER() in
order to allow the filtering of strings as described in the best practices
document.It should also be noted that the 1.6.x series of Asterisk had release candidates
available as versions 1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2. These will
either be released as 1.6.0.25, 1.6.1.17, and 1.6.2.5, or if another round of
RC changes is necessary, those versions numbers will be used with -rc1 appended.For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29.1
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.24
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4Security advisory AST-2010-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2010-002.pdf
The README-SERIOUSLY.bestpractices.txt document is available in the top-level
directory of your Asterisk sources, or available in all Asterisk branches from
1.2 and up.http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
Thank you for your continued support of Asterisk!