Recommended VICIdial Security Upgrade Notice: October 2021

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Recommended VICIdial Security Upgrade Notice: October 2021

Postby mflorell » Mon Oct 18, 2021 8:21 am

Please read this carefully as it contains important information regarding the security of your VICIdial system.

Due to the recent discovery of critical security risks in the admin and
agent web interface code, we have rolled out an update to the VICIdial
code-base. These vulnerabilities have been patched and we have added
additional code that further secures the web-facing portions of
VICIdial. Any system that is at SVN revision 3509 or greater already has
these changes(Aug 28, 2021). If your system is below that version, we strongly
recommend that you upgrade VICIdial to address these concerns.

Instructions for how to connect to our public SVN server to get the latest code
are available here: http://wiki.vicidial.org/doku.php?id=svn

You can also find recent snapshots of the svn code available here:
https://www.vicidial.org/svn_trunk_nightly/

If you have a VICIhost account with us, know that we have already upgraded
all servers and there is nothing that needs to be done on your end.

If you have any questions about this notice, please contact us or reply to this post.
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby SPAMSAM » Tue Oct 26, 2021 9:54 am

So what were the vulnerabilities that have been patched? Just asking out of interest.
SPAMSAM
 
Posts: 70
Joined: Tue Jan 17, 2017 4:00 am

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby mflorell » Tue Oct 26, 2021 3:18 pm

They were all web page vulnerabilities. A security researcher from Sweden found them and will be publishing more details on the issues in about a month.
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby mflorell » Thu Nov 18, 2021 9:16 am

The security researcher has published their results,
*** LINK REMOVED AT WEBSITE OWNER'S REQUEST ***
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby carpenox » Fri Nov 19, 2021 9:53 am

something new ive been seeing Matt

[Nov 19 09:32:25] NOTICE[118332]: chan_skinny.c:7534 skinny_session: Starting Skinny session from 42.193.16.135
[Nov 19 09:32:25] WARNING[118332]: chan_skinny.c:7598 skinny_session: Skinny packet too large (542393675 bytes), max length(2000 bytes)
[Nov 19 09:32:25] NOTICE[118332]: chan_skinny.c:7650 skinny_session: Skinny Session returned: Success
[Nov 19 09:32:25] NOTICE[118332]: chan_skinny.c:7476 skinny_session_cleanup: Ending Skinny session from unknown at 42.193.16.135
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby mflorell » Fri Nov 19, 2021 7:47 pm

chan_skinny is for OLD Cisco hardphones, I'd suggest disabling the module if you don't have one of those phones.
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 47 guests