Asterisk, Heartbleed, and You

By Matt Jordan

Olle E. Johansson, CEO Edvina AB and Matt Jordan, Engineering Manager for the Open Source Software team at Digium discuss the Heartbleed vunerability in Asterisk.

Recently, a vulnerability was discovered in the ubiquitous OpenSSL library. This bug, dubbed “Heartbleed”, allows unauthenticated attackers to discover and steal TLS/SSL protected information from vulnerable clients and servers. As the primary means of protecting information is typically performed using OpenSSL, the severity of this vulnerability cannot be underestimated.

Asterisk uses OpenSSL to encrypt signaling communication in many of its channel drivers, dialplan applications, and core functionality. This includes SIP and XMPP channel drivers, as well as the AMI and ARI interfaces. If you are using TLS with Asterisk and are using a vulnerable version of OpenSSL, you should upgrade your version of OpenSSL to a version containing the Heartbleed fix immediately. Versions of OpenSSL that are affected by the vulnerability include OpenSSL 1.0.1 through 1.0.1f, inclusive.

In short, these are the steps you should take:
  1. Check if you have a vulnerable version of OpenSSL. Use the Linux/Unix command “openssl version”. If your version of OpenSSL is not a version previously mentioned, you are not exposed to this potential attack.
  2. Stop your asterisk process.
  3. Upgrade your OpenSSL libraries using the tools provided by your operating system.
  4. Generate new key material, a new CSR and get a new TLS certificate for Asterisk.
  5. Restart Asterisk with a new certificate.

If your Asterisk was using a vulnerable version of OpenSSL, consider changing credentials for accessing the system, like SIP secrets, AMI username and password, etc.

More information on the Heartbleed vulnerability can be found at http://heartbleed.com/.

We in the Asterisk community take the issue of security very seriously. We highly encourage all Asterisk administrators to verify their installations of Asterisk and upgrade their versions of OpenSSL, if necessary. If you have any concerns about security with Asterisk, please feel free to contact the Asterisk developers using the security[email protected] mailing address. For general discussions, please use the asterisk-users mailing list. We also encourage all third party distributions of Asterisk to spread this information and assist their userbase to protect their systems.

Olle2007-120x140Co-author  – Olle E. Johansson, CEO Edvina AB, Sweden and has more than 25 years of experience in the Unix and networking business, with ten years of VoIP experience. He is an Asterisk and Kamailio developer, trainer and consultant. The focus is on building large scale customized platforms for carriers, call centers and enterprises. Olle is also an advisor to many startups. After 25 years with IPv4 networking, he is also a strong advocate of IPv6 migration, being an active member and contributor to SIP Forum and IETF.

Related Posts

No Comments Yet

Get the conversation started!

Add to the Discussion

Your email address will not be published. Required fields are marked *

About the Author

Matt Jordan

Matt Jordan joined Digium in July of 2011. Since joining Digium, he has served as lead on the Asterisk open source project, as an Engineering Manager, and as Director of Technology. In June 2016, Jordan was named CTO of Digium. In this role, Jordan is responsible for technology and architectural decisions used in the Company’s product and service offerings. Jordan holds a Bachelor of Science degree in Computer Engineering from Michigan Technological University, and a Master of Science degree in Electrical Engineering from Louisiana State University and multiple patents.

See All of Matt's Articles