Thursday, September 21, 2017

GNU Gatekeeper 4.7 (security update)

This version is purely a security update and has no new features. All users are encouraged to update, especially if you use port detection (IgnoreSignaledIPs=1) you should update ASAP.

It has been discovered that GnuGk is vulnerable in some configurations for RTP bleed attacks (https://rtpbleed.com/). By updating to version 4.7 only the first packets in each media stream influence the media destination.

To further secure your configuration, you can set

[Proxy]
RestrictRTPSources=Net


to only accept RTP from the same class C network that the call signaling came from. Please beware that this may break a few valid calls where this condition isn't met.

You can download the new version from
https://www.gnugk.org/h323download.html


Please see the full change log below.

Changes from 4.6 to 4.7
  • fixes for RTP Bleed
  • new switch [Proxy] RestrictRTPSources=IP or Net to limit accepting RTP from the call signal IPs or the respective class C network
  • new switch [Proxy] LegacyPortDetection=1 to keep port detection help for some very old and broken endpoints that will make your gatekeeper vulnerable to RTP Bleed attacks
  • BUGFIX(ProxyChannel.cxx) replace @ip or ip## from aliases when using RedirectCallsToGkIP
  • BUGFIX(ProxyChannel.cxx) better initialization of sendmsg() structs
  • new command line option: now you can use -S instead of --strict (needed on BSD systems)

No comments:

Post a Comment