Home » Technology » March Madness: Another Asterisk Security Hole in TrixBox Systems

The Most Versatile VoIP Provider: FREE PORTING

March Madness: Another Asterisk Security Hole in TrixBox Systems

Here we go again. It's a repeat of the week before last when everything gets put on hold in order to patch (another) denial of service security problem with Asterisk®. All versions are apparently affected. We obviously can't provide step-by-step instructions for each and every version of Asterisk@Home and TrixBox. But we have thousands of loyal readers that depend upon TrixBox 1.2.3 systems in a production environment. So today's column is for these folks. Our special thanks to Bubba for lending a technical hand as well. This should work reliably on all Nerd Vittles editions of TrixBox 1.2.3. That includes PBX-in-a-Flash implementations on Linux systems as well as Nerd Vittles VMware builds of TrixBox 1.2.3 which run on Windows and Mac desktop systems. If you're running a different system, you'll have to read between the lines and do the best you can. Based upon the results two weeks ago, this fix should also work on Trixbox 2.x systems. If you really get stumped, post your questions on the TrixBox forums and someone will come to your rescue. Make a backup of your system before you begin. For an excellent free backup solution, visit Thomas King's site for Backup 2 and follow the instructions.

The Asterisk Security Problem. The issue involves a hole which allows an improperly formatted SIP packet to crash your server. For more details, go here. In the scheme of things, security problems don't get much worse than this one. All Asterisk servers accept SIP INVITE packets so all Asterisk servers can be crashed from any remote location. New versions of both Asterisk and Zaptel are again available, and today we'll show you how to apply the upgrade to Nerd Vittles TrixBox 1.2.3 systems.

Getting the Latest Kernel Source for TrixBox. If you went through this knuckle-drill two weeks ago, you can skip this step. Otherwise, be aware that TrixBox systems don't ship with kernel source code so we have to begin there before we have the necessary pieces in place to compile the new version of Asterisk and Zaptel. Log into your Asterisk server as root and issue the following command:

yum -y install kernel-devel kernel

Addressing the RedHat Bug. Every time there is an update using the Asterisk kernel, module support needs to be rebuilt using the new kernel. Unfortunately, a RedHat bug (inherited by CentOS) causes the rebuilding process to fail. Here's the fix. Log into your new server as root and issue the following commands to determine which new kernel source was loaded on your system:

cd /usr/src/kernels
ls

You should see an entry that looks something like this: 2.6.9-34.0.2.EL-something. Depending upon the processor in your system, the something may be different than our machine. Write down the name of the new kernel directory and substitute it below for 2.6.9-34.0.2.EL-i686. Now issue these commands:

cd /usr/src/kernels/2.6.9-34.0.2.EL-i686/include/linux
mv spinlock.h spinlock.h.old
wget http://nerdvittles.com/trixbox/spinlock.h
shutdown -r now

Fixing a Source Code Wrinkle. At least one of the existing (older) source modules in the TrixBox 1.2.3 build will cause Asterisk to fail to restart after updating Asterisk. The simple fix below solved it for us. Your mileage may vary. If you have problems, look at the tail of the Asterisk error log (tail /var/log/asterisk/full) and then find the offending source module in the directory shown below. Rename the module and try the compiles again. Here's the error we received (app_speech_utils.so: Asterisk died with code 1.) and what solved it for us without breaking anything (actually it apparently does break Lumenvox; see Comment #7 from two weeks ago if you're using Lumenvox):

cd /usr/lib/asterisk/modules
mv app_speech_utils.so app_speech_utils.so.old

Installing Asterisk 1.2.17 and Zaptel 1.2.16. Now we're ready to install the Asterisk and Zaptel updates. While still logged in as root, execute the following commands in order:

amportal stop

cd /usr/src
wget http://ftp.digium.com/pub/telephony/zaptel/zaptel-1.2.16.tar.gz
wget http://ftp.digium.com/pub/telephony/libpri/libpri-1.2.4.tar.gz
wget http://ftp.digium.com/pub/telephony/asterisk/asterisk-1.2.17.tar.gz
wget http://ftp.digium.com/pub/telephony/asterisk/asterisk-addons-1.2.5.tar.gz

tar -zxvf zaptel-1.2.16.tar.gz
tar -zxvf libpri-1.2.4.tar.gz
tar -zxvf asterisk-1.2.17.tar.gz
tar -zxvf asterisk-addons-1.2.5.tar.gz

cd zaptel-1.2.16
make clean
make install
cd ..

cd libpri-1.2.4
make clean
make install
cd ..

cd asterisk-1.2.17
make clean
make install
cd ..

cd asterisk-addons-1.2.5
make clean
make install
cd ..

shutdown -r now

Now rebuild support for your ZAP devices or ztdummy if you have no ZAP devices. Log in as root again and type the following command: rebuild_zaptel. Then reboot your system: shutdown -r now. Now log in as root again. If you have zaptel devices, type modprobe wcfxo. Whether you have zaptel devices or not, type amportal stop and then genzaptelconf. Reboot your system again, and you should be back in business with a rock solid Asterisk system. Be sure to read the comments below as well as the original comments (especially 5, 8, 10, and 11) if this is your first attempt to patch Asterisk. There was a slight glitch with Music on Hold and the Voicemail introductory message, but we've found the fixes for both of those, and they're documented in the original comments if you run into the same problems. Enjoy!

P.S. There now is also a scripted solution to this update if you prefer auto-pilot. Here's the link.


trixbox Appliance. In case you missed it, Fonality has announced a new line of turnkey trixbox appliances. Two-port and six-port configurations as well as models with one and two preconfigured T1's, mirrored drives, and redundant power supplies will be available for purchase in June starting at $999 for the base model. Stay tuned to Nerd Vittles for a sneak peak and test drive of what's coming. In the meantime, you can read all about the new line of trixbox appliances by clicking on the link at the top of the page. Great idea!


Nerd Vittles Demo Hot Line (courtesy of les.net). You now can take a number of Nerd Vittles projects for a test drive... by phone! The current demos include (1) MailCall for Asterisk with password 1111 (retrieve your email by phone), (2) NewsClips for Asterisk (latest news headlines in dozens of categories), (3) Weather Forecasts by U.S. Airport Code, and (4) Weather Forecasts by U.S. ZIP Code. You're not prompted for #4 yet, but it does work! Just call our number (shown in the left margin) and take any or all of them for a spin. The sound quality may not be perfect due to performance limitations of our ancient Intel 386 demo machine. But the price is right.

Nerd Vittles Fan Club Map. Thanks for visiting! We hope you'll take a second and add yourself to our Frappr World Map compliments of Google. In making your entry, you can choose an icon: guy, gal, nerd, or geek. For those that don't know the difference in the last two, here's the best definition we've found: "a nerd is very similar to a geek, but with more RAM and a faster modem." We're always looking for the best BBQ joints on the planet. So, if you know of one, add it to the map while you're visiting as well.


3 Comments

  1. Is the Trixbox 1.2.3.iso that is linked in the 6 NOV 06 posting updated to reflect these (and previous) Nerd Vittles addressed security updates?

    In other words, if I install PBX-in-a-flash today using the latest download, do I have to install all of the subsequent fixes?

    [WM: You’ll still need to do the Asterisk upgrade.]

  2. Running a Nerd Vittles Trixbox 1.2.3 on a pentium 3. Followed the instructions but now cannot access the Asterisk manager via Freepbx. Looks like there is a problem with the zaptel modules. None of the other fixes mentioned seem to work. Any ideas?

Comments are closed.