[asterisk-bugs] [JIRA] (ASTERISK-20622) Default enabling of the "allowguest" setting in Asterisk should be revisited, as it allows systems by default to be potentially vulnerable

Matt Jordan (JIRA) noreply at issues.asterisk.org
Tue Oct 30 06:56:18 CDT 2012 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-20622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=199010#comment-199010 ] 

Matt Jordan edited comment on ASTERISK-20622 at 10/30/12 6:55 AM:
------------------------------------------------------------------

I'm sorry your system was attacked.  It isn't an enjoyable experience, and not a lot of fun when you end up on the hook for the costs associated with it.  The {{allowguest}} option has been enabled for some time in Asterisk by default, and we've had lots of debate about it in the past.  In fact, just making the suggested setting in the sample {{sip.conf}} ";allowguest=no" was a lot of debate - see ([here|http://lists.digium.com/pipermail/asterisk-dev/2009-November/040555.html] and [here|http://lists.digium.com/pipermail/asterisk-dev/2009-November/040392.html]).  For a variety of reasons, while we've added lots of warnings and caveats, we've held back from changing the default value for this setting inside Asterisk for a variety of reasons (I'll let the mailing list discussions speak for themselves).

I'm okay with proposing (yet again) that the default inside Asterisk be made to "no".

That being said, I want to point out that there are some clear indications in the sample configuration files (and I stress the world *sample*, they are not meant for production use) that should have warned you that this option was enabled:

{noformat}
; Note: Please read the security documentation for Asterisk in order to
; 	understand the risks of installing Asterisk with the sample
;	configuration. If your Asterisk is installed on a public
;	IP address connected to the Internet, you will want to learn
;	about the various security settings BEFORE you start
;	Asterisk. 
;
;	Especially note the following settings:
;		- allowguest (default enabled)
;		- permit/deny - IP address filters
;		- contactpermit/contactdeny - IP address filters for registrations
;		- context - Which set of services you offer various users
{noformat}

Second, the sample configuration file states the following for the {{allowguest}} setting:
{noformat}
;allowguest=no                  ; Allow or reject guest calls (default is yes)
				; If your Asterisk is connected to the Internet
				; and you have allowguest=yes
				; you want to check which services you offer everyone
				; out there, by enabling them in the default context (see below).
{noformat}

This means that you not only had an option that you didn't want enabled in your {{sip.conf}}, but you also had your dialplan configured such that the default context specified in {{sip.conf}} allowed outbound calls.  Essentially, you have multiple vulnerabilities in your configuration that allowed the situation to occur.

Based on this, you may want to consider not exposing your services to the public until you've had a chance to fully read up on security best practices in Asterisk and double check all of your configuration for additional vulnerabilities.

A few things you should read before deploying your system:
* The README-SERIOUSLY.bestpractices.txt delivered with Asterisk
* [Asterisk: The Definitive Guide|http://ofps.oreilly.com/titles/9780596517342/], particularly the sections on Outside Connectivity and Security
* [Important Security Considerations|https://wiki.asterisk.org/wiki/display/AST/Important+Security+Considerations] on the Asterisk wiki

Finally, if you're on Asterisk 10+, there are some facilities available to you that will help you track security threats to your system.  They certainly beat having to look at CDR records!  (1.8 has mechanisms other than that as well, but nothing terribly formal)  See [Asterisk Security Framework|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Framework] for more information.
                
      was (Author: mjordan):
    I'm sorry your system was attacked.  It isn't an enjoyable experience, and not a lot of fun when you end up on the hook for the costs associated with it.  The {{allowguest}} option has been enabled for some time in Asterisk by default, and we've had lots of debate about it in the past.  In fact, just making the suggested setting in the sample {{sip.conf}} ";allowguest=no" was a lot of debate - see ([here|http://lists.digium.com/pipermail/asterisk-dev/2009-November/040555.html] and [here|http://lists.digium.com/pipermail/asterisk-dev/2009-November/040392.html]), we've held back from changing the default value inside Asterisk from 'Yes' due to a variety of reasons (I'll let the mailing list discussions speak for themselves).

I'm okay with proposing (yet again) that the default inside Asterisk be made to "no".

That being said, I want to point out that there are some clear indications in the sample configuration files (and I stress the world *sample*, they are not meant for production use) that should have warned you that this option was enabled:

{noformat}
; Note: Please read the security documentation for Asterisk in order to
; 	understand the risks of installing Asterisk with the sample
;	configuration. If your Asterisk is installed on a public
;	IP address connected to the Internet, you will want to learn
;	about the various security settings BEFORE you start
;	Asterisk. 
;
;	Especially note the following settings:
;		- allowguest (default enabled)
;		- permit/deny - IP address filters
;		- contactpermit/contactdeny - IP address filters for registrations
;		- context - Which set of services you offer various users
{noformat}

Second, the sample configuration file states the following for the {{allowguest}} setting:
{noformat}
;allowguest=no                  ; Allow or reject guest calls (default is yes)
				; If your Asterisk is connected to the Internet
				; and you have allowguest=yes
				; you want to check which services you offer everyone
				; out there, by enabling them in the default context (see below).
{noformat}

This means that you not only had an option that you didn't want enabled in your {{sip.conf}}, but you also had your dialplan configured such that the default context specified in {{sip.conf}} allowed outbound calls.  Essentially, you have multiple vulnerabilities in your configuration that allowed the situation to occur.

Based on this, you may want to consider not exposing your services to the public until you've had a chance to fully read up on security best practices in Asterisk and double check all of your configuration for additional vulnerabilities.

A few things you should read before deploying your system:
* The README-SERIOUSLY.bestpractices.txt delivered with Asterisk
* [Asterisk: The Definitive Guide|http://ofps.oreilly.com/titles/9780596517342/], particularly the sections on Outside Connectivity and Security
* [Important Security Considerations|https://wiki.asterisk.org/wiki/display/AST/Important+Security+Considerations] on the Asterisk wiki

Finally, if you're on Asterisk 10+, there are some facilities available to you that will help you track security threats to your system.  They certainly beat having to look at CDR records!  (1.8 has mechanisms other than that as well, but nothing terribly formal)  See [Asterisk Security Framework|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Framework] for more information.
                  
> Default enabling of the "allowguest" setting in Asterisk should be revisited, as it allows systems by default to be potentially vulnerable
> ------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20622
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20622
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.11.1
>         Environment: openSUSE 12.1 32bit
> Linux dmbsrv 3.1.10-1.16-pae #1 SMP Wed Jun 27 05:21:40 UTC 2012 (d016078) i686 athlon i386 GNU/Linux
>            Reporter: Dirk-Michael Brosig
>            Assignee: Rusty Newton
>            Severity: Critical
>
> an attacker can make a dial in default context without valid authentification

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list