Two New Asterisk Security Vulnerabilities Related To SMS And AMI

Asterisk logoThe great folks at the Digium / Asterisk Security Team have issued two new security advisories that folks running Asterisk should pay attention to.  They are:

AST-2013-006: Buffer Overflow When Receiving Odd Length 16 bit SMS Message – If you have Asterisk set up to receive SMS messages, it seems that a 16-bit SMS message of a certain size can cause the Asterisk server to have a buffer overflow and the system to crash.  The fix is to upgrade to the latest version of Asterisk.  It sounds like the only attack method is via SMS and so if you are not connecting SMS to Asterisk it would seem this advisory would not apply to you.

AST-2013-007: Asterisk Manager User Dialplan Permission Escalation – The Asterisk Manager Interface (AMI) allows you to control the operation of your Asterisk server through external applications or other systems.  The Security Team notes that the AMI interface does allow for the execution of dialplan functions that can go beyond simply controlling Asterisk but can in fact issue shell commands to the underlying operating system.  The new versions of Asterisk now include a new option in asterisk.conf called, amusingly, “live_dangerously”, that can be set to “no” to forbid the execution of these extra functions.  They note that for backwards compatibility the default for this option is “yes” because there may be applications in use that rely on these shell functions.  It would seem prudent, though, to see if you can set this to “no” to provide the highest level of system security.

I am not currently running any Asterisk systems myself but it would seem to me that a basic “security 101” level you should also be making sure that access to that AMI port on your Asterisk server is restricted to only the systems running any applications that need that access.

In any event, if you are an Asterisk user and haven’t upgraded to the latest version, these security alerts may be a good reason to do so!

Leave a Reply

Your email address will not be published. Required fields are marked *