<br><br><div class="gmail_quote">On Fri, Mar 9, 2012 at 4:10 PM, Kevin P. Fleming <span dir="ltr"><<a href="mailto:kpfleming@digium.com">kpfleming@digium.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 03/09/2012 02:56 PM, Josh Freeman wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The most current patched Asterisk, along with the most current app_rpt,<br>
can be found at<br>
<br>
<a href="http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/" target="_blank">http://svn.ohnosec.org/svn/<u></u>projects/allstar/astsrc-1.4.<u></u>23-pre/trunk/</a><br>
</blockquote>
<br></div>
I'm really trying to avoid fanning the flames here, but if that code is *really* based on 1.4.23, and hasn't been kept up to date with the Asterisk 1.4 releases, then that means it contains a number of security vulnerabilities that users should be aware of. Some of them are user enumeration vulnerabilities, but others (like AST-2011-010, AST-2011-005, AST-2011-001, and maybe more) are more serious.<span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Kevin P. Fleming<br>
Digium, Inc. | Director of Software Technologies<br>
Jabber: <a href="mailto:kfleming@digium.com" target="_blank">kfleming@digium.com</a> | SIP: <a href="mailto:kpfleming@digium.com" target="_blank">kpfleming@digium.com</a> | Skype: kpfleming<br>
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA<br>
Check us out at <a href="http://www.digium.com" target="_blank">www.digium.com</a> & <a href="http://www.asterisk.org" target="_blank">www.asterisk.org</a></font></span><div class="HOEnZb"><div class="h5"><br>
<br></div></div></blockquote><div><br></div><div>Kevin,</div><div><br></div><div>You are not fanning any flames, that is a good point and anyone that deploys this technology should have to read a disclaimer as to vulnerabilities. I am well aware that there have been some serious security issues in those earlier versions.</div>
<div><br></div><div>As for an Asterisk Box, or probably better described by what It is used for, a Repeater or Base Station Controller Boxen, I have them locked down in IPTables and in Asterisk. There are usually not more then a dozen or so RoIP conncted repeaters. </div>
<div><br></div><div>In my case, I only open one port for OpenVPN and I define the other repeaters by host=IP. As far as "Soft Radios and Autopatch" that function is taken care of by a "real" Asterisk server that is more of a PBX and faces the world, not the "Repeater Controller", again, one entry defined by IP over OpenVPN. Bridged or routed, they non-routeable IPs. The RoIP VPN is only accessible through that tunnel, which is dedicated for that purpose.</div>
<div><br></div><div>I am very mindful of security, especially dealing with DoD, but pretty much apply the same kind of security on any implementation. <br></div><div><br></div><div>Obviously, these security issues should be patched, but I feel that in my implementations, things are very secure.</div>
<div><br></div><div>Thanks,</div><div>Steve T</div></div>