Potential Asterisk Security Issue Heightens Need for Updated Dial Plans

February 15, 2010
By Amy Tierney, TMCnet Web Editor

As more and more business users search for a more economical, manageable solution for their telephony needs, Asterisk (News - Alert)-based solutions in particular have emerged as a top choice for small- and medium-sized businesses.
 
Yet, a potential security issue remains with all releases of Asterisk. And to stay protected, users need to update their dial plans, according to a VentureVoip blog posting. The security problem doesn’t involve the code, but with the way users construct their dial plans.
 
The issues at hand, according to the blog, is a conflict exists between the allowed characters in the called number or name in many VoIP protocols and the way Asterisk handles channel variables. A security risk is hidden in many dial plans based on examples provided over time Asterisk developers, trainers and the community at large.
 
For example, by implementing an ampersand in the dial string, users can access protected resources or misuse the PBX (News - Alert) services, according to the blog.
 
“We need help from all involved in the Asterisk eco-system,” the blog said. “This is not something that the development team can solve by itself. We can add documents, READMEs and fix our own examples. But that won’t fix it. We need everyone involved to pump this information out in all the veins that runs through the Asterisk eco-system.”
 
Digium, the Asterisk company, plans to release an Asterisk Security Advisory document and updated examples within the Asterisk source code tree. The blog advises readers to audit their dial plans to help solve the problem.

Amy Tierney is a Web editor for TMCnet, covering business communications Her areas of focus include conferencing, SIP, Fax over IP, unified communications and telepresence. Amy also writes about education and healthcare technology, overseeing production of e-Newsletters on those topics as well as communications solutions and UC. To read more of Amy's articles, please visit her columnist page.

Edited by Amy Tierney

Article comments powered by Disqus

Related Asterisk Articles

Steps to Protecting the Asterisk IP PBX

Twilio Launches First SDK on Google's Platform: The Android Client

TMCnet Asterisk Week in Review

Sangoma Introduces B500 BRI for Asterisk Integration

Is Asterisk the Answer to Google Voice on the IP Phone?