I see the vulnerability may be limited to first few seconds if the initial set of patches are applied, but I wondered where both the RasPBX asterisk 11 and 13 versions stood on this?
Initially, I thought that the vulnerable part would be active calls on external trunks, but actually, I suppose the system could be tricked into splitting the RTP off for any internal or other call if the RTP ports can be reached?
Interested in thoughts from those more familiar with the code and patch level!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If that article is to be believed, the easiest fix is to remove the rule that allows incoming traffic from anywhere on posts 10000-20000 in iptables (don't forget to restart iptables, or just reboot). I am not an expert on this sort of thing, so just passing that along.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes the described vulnerability is also contained in Asterisk shipped with RasPBX. The fixes have been published by Digium on August 31st, I will upload updated versions of Asterisk 11 and 13 by tomorrow.
The iptables rule from the Nerdvittles article above does not apply to RasPBX, as it is a rule specific to the Nerdvittles releases.
Nonetheless it is possible to eliminate or at least reduce exposure to this bug, by following these steps:
If your RasPBX is behind a router with a private IP (which is the case for most setups) and your router does NOT forward RTP ports 10000-20000 to your Asterisk, you are not affected by attackers from outside.
For trunk settings nat=yes is usually not required. If this setting accidentally slipped in there, remove it and check if your trunks still work.
For extensions nat=yes is often used. If all your extensions are on your local network anyway, you won't need it, so turn off nat for these extensions.
Only if extensions are outside on the Internet, registering with your Asterisk from there, these extensions would still be affected if nat=yes cannot be turned off for them.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There's what looks like a good explanation of the history and the fixes in the link below. Looks like we need to be on: 11.6-cert18, 11.25.3, 13.13-cert6, 13.17.2, and 14.6.2.?
When we are on those version(s) or higher, do we need to set something specific for the strictrtp setting?
This looks fairly nasty:
https://www.theregister.co.uk/2017/09/03/asterisk_rtp_bug_allows_intercepted_calls/
I see the vulnerability may be limited to first few seconds if the initial set of patches are applied, but I wondered where both the RasPBX asterisk 11 and 13 versions stood on this?
Initially, I thought that the vulnerable part would be active calls on external trunks, but actually, I suppose the system could be tricked into splitting the RTP off for any internal or other call if the RTP ports can be reached?
Interested in thoughts from those more familiar with the code and patch level!
You may want to see the discussion here:
http://nerdvittles.com/?p=23361
If that article is to be believed, the easiest fix is to remove the rule that allows incoming traffic from anywhere on posts 10000-20000 in iptables (don't forget to restart iptables, or just reboot). I am not an expert on this sort of thing, so just passing that along.
Yes the described vulnerability is also contained in Asterisk shipped with RasPBX. The fixes have been published by Digium on August 31st, I will upload updated versions of Asterisk 11 and 13 by tomorrow.
The iptables rule from the Nerdvittles article above does not apply to RasPBX, as it is a rule specific to the Nerdvittles releases.
Nonetheless it is possible to eliminate or at least reduce exposure to this bug, by following these steps:
Thanks Gernot for explaining clearly what we might be able to do and your work to integrate the patches.
There's what looks like a good explanation of the history and the fixes in the link below. Looks like we need to be on: 11.6-cert18, 11.25.3, 13.13-cert6, 13.17.2, and 14.6.2.?
When we are on those version(s) or higher, do we need to set something specific for the strictrtp setting?
http://blogs.asterisk.org/2017/09/27/rtp-security-vulnerabilities/