Olle E. Johansson, CEO Edvina AB and Matt Jordan, Engineering Manager for the Open Source Software team at Digium discuss the Heartbleed vunerability in Asterisk.
Recently, a vulnerability was discovered in the ubiquitous OpenSSL library. This bug, dubbed “Heartbleed”, allows unauthenticated attackers to discover and steal TLS/SSL protected information from vulnerable clients and servers. As the primary means of protecting information is typically performed using OpenSSL, the severity of this vulnerability cannot be underestimated.
Asterisk uses OpenSSL to encrypt signaling communication in many of its channel drivers, dialplan applications, and core functionality. This includes SIP and XMPP channel drivers, as well as the AMI and ARI interfaces. If you are using TLS with Asterisk and are using a vulnerable version of OpenSSL, you should upgrade your version of OpenSSL to a version containing the Heartbleed fix immediately. Versions of OpenSSL that are affected by the vulnerability include OpenSSL 1.0.1 through 1.0.1f, inclusive.
- Check if you have a vulnerable version of OpenSSL. Use the Linux/Unix command “openssl version”. If your version of OpenSSL is not a version previously mentioned, you are not exposed to this potential attack.
- Stop your asterisk process.
- Upgrade your OpenSSL libraries using the tools provided by your operating system.
- Generate new key material, a new CSR and get a new TLS certificate for Asterisk.
- Restart Asterisk with a new certificate.
If your Asterisk was using a vulnerable version of OpenSSL, consider changing credentials for accessing the system, like SIP secrets, AMI username and password, etc.
More information on the Heartbleed vulnerability can be found at http://heartbleed.com/.
We in the Asterisk community take the issue of security very seriously. We highly encourage all Asterisk administrators to verify their installations of Asterisk and upgrade their versions of OpenSSL, if necessary. If you have any concerns about security with Asterisk, please feel free to contact the Asterisk developers using the firstname.lastname@example.org mail
Co-author – Olle E. Johansson, CEO Edvina AB, Sweden and has more than 25 years of experience in the Unix and networking business, with ten years of VoIP experience. He is an Asterisk and Kamailio developer, trainer and consultant. The focus is on building large scale customized platforms for carriers, call centers and enterprises. Olle is also an advisor to many startups. After 25 years with IPv4 networking, he is also a strong advocate of IPv6 migration, being an active member and contributor to SIP Forum and IETF.