Home » Technology » Another Asterisk Security Hole to Plug in TrixBox Systems (updated)

The Most Versatile VoIP Provider: FREE PORTING

Another Asterisk Security Hole to Plug in TrixBox Systems (updated)

blankHere we go again to patch another denial of service problem and some SIP vulnerabilities with Asterisk®. All versions are apparently affected. We obviously can't provide step-by-step instructions for each and every version of Asterisk@Home and TrixBox. But we have thousands of loyal readers that depend upon TrixBox 1.2.3 systems in a production environment. So today's column is for these folks. Our special thanks to Bubba for lending a technical hand as well. We've tested this pretty carefully on Nerd Vittles editions of TrixBox 1.2.3. That includes PBX-in-a-Flash implementations on Linux systems as well as Nerd Vittles VMware builds of TrixBox 1.2.3 which run on Windows and Mac desktop systems. If you're running a different system, you'll have to read between the lines and do the best you can. It reportedly works fine to upgrade Trixbox 2.x sysems as well. If you really get stumped, post your questions on the TrixBox forums and someone will come to your rescue. Make a backup of your system before you begin. For an excellent free backup solution, visit Thomas King's site for Backup 2 and follow the instructions.

The Asterisk Security Problem. Today's issues are well documented on the asterisk-announce mailing list. You can read the archive here. Incidentally, for those that didn't know it, we've provided a convenient link to all of the Asterisk mailing list archives in the right column. Just click on Asterisk ListServ. New versions of both Asterisk and Zaptel are now available, and today we'll show you how to apply the upgrade to Nerd Vittles TrixBox 1.2.3 systems.

Getting the Latest Kernel Source for TrixBox. TrixBox systems don't ship with kernel source code so we have to begin there before we have the necessary pieces in place to compile the new version of Asterisk and Zaptel. Log into your Asterisk server as root and issue the following command:

yum -y install kernel-devel kernel

Addressing the RedHat Bug. Every time there is an update using the Asterisk kernel, module support needs to be rebuilt using the new kernel. Unfortunately, a RedHat bug (inherited by CentOS) causes the rebuilding process to fail. Here's the fix. Log into your new server as root and issue the following commands to determine which new kernel source was loaded on your system:

cd /usr/src/kernels
ls

You should see an entry that looks something like this: 2.6.9-34.0.2.EL-something. Depending upon the processor in your system, the something may be different than our machine. Write down the name of the new kernel directory and substitute it below for 2.6.9-34.0.2.EL-i686. Now issue these commands:

cd /usr/src/kernels/2.6.9-34.0.2.EL-i686/include/linux
mv spinlock.h spinlock.h.old
wget http://nerdvittles.com/trixbox/spinlock.h
shutdown -r now

Fixing Some Source Code Wrinkles. At least one of the existing (older) source modules in the TrixBox 1.2.3 build will cause Asterisk to fail to restart after updating Asterisk. The simple fix below solved it for us. Your mileage may vary. If you have problems, look at the tail of the Asterisk error log (tail /var/log/asterisk/full) and then find the offending source module in the directory shown below. Rename the module and try the compiles again. Here's the error we received (app_speech_utils.so: Asterisk died with code 1.) and what solved it for us without breaking anything (actually it apparently does break Lumenvox; review Comment #7 in our previous security column for how to fix it):

cd /usr/lib/asterisk/modules
mv app_speech_utils.so app_speech_utils.so.old

It also has been reported that some versions of TrixBox may no longer function without adding the openssl-devel module. Thanks to David Josephson for the heads up.

yum install openssl-devel

Installing Asterisk 1.2.18 and Zaptel 1.2.17 and AddOns 1.2.6. Now we're ready to install the updates. While still logged in as root, execute the following commands in order:

amportal stop

cd /usr/src
wget http://ftp.digium.com/pub/telephony/zaptel/zaptel-1.2.17.1.tar.gz
wget http://ftp.digium.com/pub/telephony/libpri/libpri-1.2.4.tar.gz
wget http://ftp.digium.com/pub/telephony/asterisk/asterisk-1.2.18.tar.gz
wget http://ftp.digium.com/pub/telephony/asterisk/asterisk-addons-1.2.6.tar.gz

tar -zxvf zaptel-1.2.17.1.tar.gz
tar -zxvf libpri-1.2.4.tar.gz
tar -zxvf asterisk-1.2.18.tar.gz
tar -zxvf asterisk-addons-1.2.6.tar.gz

cd zaptel-1.2.17.1
make clean
make install
cd ..

cd libpri-1.2.4
make clean
make install
cd ..

cd asterisk-1.2.18
make clean
make install
cd ..

cd asterisk-addons-1.2.6
make clean
make install
cd ..

shutdown -r now

Now rebuild support for your ZAP devices or ztdummy if you have no ZAP devices. Log in as root again and type the following command: rebuild_zaptel. Then reboot your system: shutdown -r now. Now log in as root again. If you have zaptel devices, type modprobe wcfxo. Whether you have zaptel devices or not, type amportal stop and then genzaptelconf. Reboot your system again, and you should be back in business.

freePBX Cleanup. For some reason, these security updates cause some minor problems with the freePBX configuration. Some users report that Music on Hold stops functioning while others have indicated that the introductory prompt for voice mail stops functioning. Both fixes are simple. Here's how.

For the Music on Hold problem, open freePBX with your web browser. Click MusicOnHold, then click Default under the Add Music Category listing. Now click Enable Random Play button, and click the Red Bar to reload Asterisk.

For the introductory voice prompt with voice mail, click General Settings. The fifth option on the page is Direct Dial to VoiceMail Message Type. Change the setting from Default to Unavailable. Save your change and click the Red Bar to reload Asterisk. You should have smooth sailing after these tweaks. Enjoy!

Securing AsteriDex. If you have a preconfigured TrixBox system that includes our very own AsteriDex, you'll need to download and install this simple patch to resolve a security vulnerability that was discovered. Log into your Asterisk server as root and issue the following commands:

cd /var/www/html/asteridex
rm -f callboth.php
wget http://nerdvittles.com/trixbox11/callboth.zip
unzip callboth.zip
rm -f callboth.zip
chown asterisk:asterisk callboth.php
chmod 775 callboth.php


blankblankNerd Vittles Demo Hot Line (courtesy of les.net). You now can take a number of Nerd Vittles projects for a test drive... by phone! The current demos include (1) MailCall for Asterisk with password 1111 (retrieve your email by phone), (2) NewsClips for Asterisk (latest news headlines in dozens of categories), (3) Weather Forecasts by U.S. Airport Code, and (4) Weather Forecasts by U.S. ZIP Code. You're not prompted for #4 yet, but it does work! Just call our number (shown in the left margin) and take any or all of them for a spin. The sound quality may not be perfect due to performance limitations of our ancient Intel 386 demo machine. But the price is right.

Nerd Vittles Fan Club Map. Thanks for visiting! We hope you'll take a second and add yourself to our Frappr World Map compliments of Google. In making your entry, you can choose an icon: guy, gal, nerd, or geek. For those that don't know the difference in the last two, here's the best definition we've found: "a nerd is very similar to a geek, but with more RAM and a faster modem." We're always looking for the best BBQ joints on the planet. So, if you know of one, add it to the map while you're visiting as well.


Some Recent Nerd Vittles Articles of Interest...


8 Comments

  1. Hi Ward

    I have updated my script to include your new steps and revised the source code revision numbers.

    http://www.script-trix.us/updatesource.htm

    So far it seems to work just great. Thanks for all of your hard work.

    Tom

    [WM: Tom’s script will need a little updating for the new Zaptel and Addon modules which were released overnight. Tom has made this incredibly easy to fix. Just don’t forget to do it.]

  2. First off, thanks for all the great help & tips – I have a working system despite being a complete newbie.

    One of the pieces of advice you gave, I fully intended to follow – not rushing into upgrading, but of course I didn’t…

    I was going to wait a few days before applying these patches, in case anything changed. The following two lines do not work:

    wget http://ftp.digium.com/pub/telephony/zaptel/zaptel-1.2.16.tar.gz
    wget http://ftp.digium.com/pub/telephony/asterisk/asterisk-addons-1.2.5.tar.gz

    The current versions are now 1.2.17.1 & 1.2.6 respectively. I wasn’t sure whether to go for ‘bleeding edge’ or follow your instructions, I went with the latter and used:

    wget http://ftp.digium.com/pub/telephony/zaptel/releases/zaptel-1.2.16.tar.gz
    wget http://ftp.digium.com/pub/telephony/asterisk/releases/asterisk-addons-1.2.5.tar.gz

    This appears to have worked for me, I now await your next telling me I should have gone with the other option!

    Many thanks again.

    [WM: Thanks for the heads up. Didn’t know we were going to have to update this article EACH DAY when we wrote it.]

  3. Some of these versions are already out of date. Is it safe to go with zaptel-1.2.17.1 and asterisk-addons-1.2.6?

    [WM: Beats me, but there’s usually a very good reason for the new releases. So much for testing. Go for it! We’ve updated the article as well.]

  4. Ward,

    Is there any particular reason not to update asterisk via yum? It’s installed on the Trixbox 1.2.3 systems by default, and a simple "yum -y update asterisk" took care of my upgrade rather nicely.

    [WM: The yum option wasn’t available when the article was written.]

  5. Beware, I’ve upgraded last weekend to zaptel-1.2.17.1, and the system totaly crashed with Kernel Panic. Even the Linux was stuck and I had to reinstall everything from scratch on a production sever. I use Trixbox 2.0 and Sangoma A200. FYI..

  6. Digium is only hosting zaptel-1.2.17.1 now, NOT zaptel-1.2.17.
    With that and comment #6 (Michael) I’m going to hold off due
    to the phear phactor alone.

    [WM: Yeah, it’s been a rough couple of weeks for the developers. Been there, done that.]

Comments are closed.