It all started with this warning from the IC3:
New Technique Utilizing Private Branch Exchange (PBX) Systems To Conduct Vishing AttacksMy esteemed colleagues Rich Tehrani and Greg Galitzine did some research to find out what the story was, including contacting Digium's John Todd.
The FBI has received information concerning a new technique used to conduct vishing attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software.
Here's Rich's take:
Before commenting I waited to hear back from Digium's John Todd who explained that there were some methodology and editorial process issues in this alert - basically no one checked with Digium before going public. As it turns out, after checking with Digium, the FBI quickly revised their statement and everything is fine.
The details are that there was a bug which Digium found in March of 2008 and subsequently patched in version 1.2 and 1.4. Version 1.6 is not affected. Besides, according to Todd, the security issue would arise if system administrators basically disregarded logical security measures like using numerals in passwords.
Greg Galitzine also writes about the FBI's warning about Asterisk in an article titled Digium Defends Asterisk Against Fed Warning: "Tempest in a Teapot"
In it, Greg writes:
Todd writes in a blog entry titled SIP Security and Asterisk:
That bug allowed in some cases unauthorized callers to make calls through an unprotected "context" in Asterisk. Due to the nature of the bug there was fairly limited exposure - it would have required a fairly unusual set of configurations to permit fraud, and there was both a simple config file change that would provide protection, as well as an actual patch to the code which we have every reason to believe has been widely implemented by the very proactive Open-Source community using Asterisk in production environments. The bug didn't allow arbitrary setting of caller ID, and would only work in a limited set of circumstances that personally I think would be unusual, though possible.
Early on, Todd had a sense that this might just be a misunderstanding: Sorry for the fuss, and I suspect this is just a tempest in a teapot. Use good passwords, keep your packet filters up, and I'll update things here as we hear more.
Digium's John Todd wrote an excellent blog post describing what happened after he was able to contact the FBI in charge of the security warning. While there was indeed a security vulnerability in Asterisk, it was patched in 1.2 and 1.4 and doesn't exist in 1.6. Thus, someone would have to be using a very old version of Asterisk. And as for the security vulnerability itself which seemed to enable vhishing attacks, John indicates that it was a relatively obscure exploit and "an administrator would have to consciously configure their system in what I believe to be an extremely unusual way in order to be victimized by this particular vulnerability." So indeed in John's own words, it seems to be a tempest in a teapot after all.
John Todd wrote:
As we had surmised, the warning from the IC3/FBI on Friday was just a re-hash of a bug that was fixed back in March of this year. I was in touch with the agent in charge of this release this morning (after contact attempts on Friday failed) and he understood quickly that the wording was lacking in ways that created questions in the minds of readers, and this was being amplified by bloggers who more clearly outlined the set of questions raised by the advisory/release. To his credit, the IC3 agent quickly pushed through a set of changes today to the posting which more specifically describes the issue, which indeed is the AST-2008-003 SIP guest permissions problem.
John Todd also wrote:
John Todd complains about the "vagueness" of the warning but in an update after speaking to the IC3 agemt, John Todd says "To his credit, the IC3 agent quickly pushed through a set of changes today to the posting which more specifically describes the issue, which indeed is the AST-2008-003 SIP guest permissions problem." (an old issue)This bug was discovered and patched for 1.2 and 1.4 versions of the software, and 1.6 releases were not vulnerable. Simple changes to site-specific configurations typically would be all that would be required even on systems that did not get patched or upgraded. The bug that is described is relatively obscure, and was found by Jason Parker here at Digium. We didn't know of any "in the wild" exploits back then, though of course there may be some now. I'm still somewhat surprised that anyone has been able to use this bug to the extent that they were able to mount "vishing" attacks. While I won't get into the details of configuration specifics, I would say that an administrator would have to consciously configure their system in what I believe to be an extremely unusual way in order to be victimized by this particular vulnerability.
So my Asterisk-loving friends. If you are indeed running patched 1.2/1.4 Asterisk or v1.6 you have nothing to worry about. And if you aren't running these versions, what the heck is wrong with you? And you call yourself an Asterisk fan. Per shame!
P.S. As Rich said, "I am sure by the time Asterisk World rolls around in a few months in Miami, we will all be laughing about this incident and marveling at the opportunity that is open source communications."