Asterisk, Heartbleed, and You

By Matt Jordan
Share this:Share on Facebook0Tweet about this on TwitterShare on LinkedIn0Pin on Pinterest0

Olle E. Johansson, CEO Edvina AB and Matt Jordan, Engineering Manager for the Open Source Software team at Digium discuss the Heartbleed vunerability in Asterisk.

Recently, a vulnerability was discovered in the ubiquitous OpenSSL library. This bug, dubbed “Heartbleed”, allows unauthenticated attackers to discover and steal TLS/SSL protected information from vulnerable clients and servers. As the primary means of protecting information is typically performed using OpenSSL, the severity of this vulnerability cannot be underestimated.

Asterisk uses OpenSSL to encrypt signaling communication in many of its channel drivers, dialplan applications, and core functionality. This includes SIP and XMPP channel drivers, as well as the AMI and ARI interfaces. If you are using TLS with Asterisk and are using a vulnerable version of OpenSSL, you should upgrade your version of OpenSSL to a version containing the Heartbleed fix immediately. Versions of OpenSSL that are affected by the vulnerability include OpenSSL 1.0.1 through 1.0.1f, inclusive.

In short, these are the steps you should take:
  1. Check if you have a vulnerable version of OpenSSL. Use the Linux/Unix command “openssl version”. If your version of OpenSSL is not a version previously mentioned, you are not exposed to this potential attack.
  2. Stop your asterisk process.
  3. Upgrade your OpenSSL libraries using the tools provided by your operating system.
  4. Generate new key material, a new CSR and get a new TLS certificate for Asterisk.
  5. Restart Asterisk with a new certificate.

If your Asterisk was using a vulnerable version of OpenSSL, consider changing credentials for accessing the system, like SIP secrets, AMI username and password, etc.

More information on the Heartbleed vulnerability can be found at http://heartbleed.com/.

We in the Asterisk community take the issue of security very seriously. We highly encourage all Asterisk administrators to verify their installations of Asterisk and upgrade their versions of OpenSSL, if necessary. If you have any concerns about security with Asterisk, please feel free to contact the Asterisk developers using the [email protected] mailing address. For general discussions, please use the asterisk-users mailing list. We also encourage all third party distributions of Asterisk to spread this information and assist their userbase to protect their systems.

Olle2007-120x140Co-author  – Olle E. Johansson, CEO Edvina AB, Sweden and has more than 25 years of experience in the Unix and networking business, with ten years of VoIP experience. He is an Asterisk and Kamailio developer, trainer and consultant. The focus is on building large scale customized platforms for carriers, call centers and enterprises. Olle is also an advisor to many startups. After 25 years with IPv4 networking, he is also a strong advocate of IPv6 migration, being an active member and contributor to SIP Forum and IETF.

No Comments Yet

Get the conversation started!

Add to the Discussion

Your email address will not be published. Required fields are marked *

About the Author

Matt Jordan

Matt Jordan is an Engineering Manager for the Open Source Software team at Digium, working on Asterisk. Matt joined the team in 2011, and since then has been involved in the development of both Asterisk and the Asterisk Test Suite. His background in software development can best be described as "eclectic", having worked in a variety of industries. Uniting the various experiences, however, is a firm belief in good software development practices and methodologies and the effect they have on producing quality software (and keeping software developers from going insane).

See All of Matt's Articles