vicidial.org

VICIDIAL astGUIclient discussion forum

Skip to content

Vicidial.org Home      Vicidial Forum      Vicidial Wiki      Vicidial Issue Tracker      astGUIclient Project Page


Recommended VICIdial Security Upgrade Notice: October 2021

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Post a reply

Recommended VICIdial Security Upgrade Notice: October 2021

Postby mflorell » Mon Oct 18, 2021 8:21 am

Please read this carefully as it contains important information regarding the security of your VICIdial system.

Due to the recent discovery of critical security risks in the admin and
agent web interface code, we have rolled out an update to the VICIdial
code-base. These vulnerabilities have been patched and we have added
additional code that further secures the web-facing portions of
VICIdial. Any system that is at SVN revision 3509 or greater already has
these changes(Aug 28, 2021). If your system is below that version, we strongly
recommend that you upgrade VICIdial to address these concerns.

Instructions for how to connect to our public SVN server to get the latest code
are available here: http://wiki.vicidial.org/doku.php?id=svn

You can also find recent snapshots of the svn code available here:
https://www.vicidial.org/svn_trunk_nightly/

If you have a VICIhost account with us, know that we have already upgraded
all servers and there is nothing that needs to be done on your end.

If you have any questions about this notice, please contact us or reply to this post.
mflorell
Site Admin
 
Posts: 18399
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida
Top

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby SPAMSAM » Tue Oct 26, 2021 9:54 am

So what were the vulnerabilities that have been patched? Just asking out of interest.
SPAMSAM
 
Posts: 70
Joined: Tue Jan 17, 2017 4:00 am
Top

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby mflorell » Tue Oct 26, 2021 3:18 pm

They were all web page vulnerabilities. A security researcher from Sweden found them and will be publishing more details on the issues in about a month.
mflorell
Site Admin
 
Posts: 18399
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida
Top

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby mflorell » Thu Nov 18, 2021 9:16 am

The security researcher has published their results,
*** LINK REMOVED AT WEBSITE OWNER'S REQUEST ***
mflorell
Site Admin
 
Posts: 18399
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida
Top

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby carpenox » Fri Nov 19, 2021 9:53 am

something new ive been seeing Matt

[Nov 19 09:32:25] NOTICE[118332]: chan_skinny.c:7534 skinny_session: Starting Skinny session from 42.193.16.135
[Nov 19 09:32:25] WARNING[118332]: chan_skinny.c:7598 skinny_session: Skinny packet too large (542393675 bytes), max length(2000 bytes)
[Nov 19 09:32:25] NOTICE[118332]: chan_skinny.c:7650 skinny_session: Skinny Session returned: Success
[Nov 19 09:32:25] NOTICE[118332]: chan_skinny.c:7476 skinny_session_cleanup: Ending Skinny session from unknown at 42.193.16.135
Alma Linux 9.5 | SVN Version: 3909 | DB Schema Version: 1724 | Asterisk 18.26.0 | PHP8
https://dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2535
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL
Top

Re: Recommended VICIdial Security Upgrade Notice: October 20

Postby mflorell » Fri Nov 19, 2021 7:47 pm

chan_skinny is for OLD Cisco hardphones, I'd suggest disabling the module if you don't have one of those phones.
mflorell
Site Admin
 
Posts: 18399
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida
Top
Post a reply

Return to General Discussion

Who is online

Users browsing this forum: Google [Bot] and 36 guests

Powered by phpBB® Forum Software © phpBB Group