Thursday, September 21, 2017

GNU Gatekeeper 4.7 (security update)

This version is purely a security update and has no new features. All users are encouraged to update, especially if you use port detection (IgnoreSignaledIPs=1) you should update ASAP.

It has been discovered that GnuGk is vulnerable in some configurations for RTP bleed attacks (https://rtpbleed.com/). By updating to version 4.7 only the first packets in each media stream influence the media destination.

To further secure your configuration, you can set

[Proxy]
RestrictRTPSources=Net


to only accept RTP from the same class C network that the call signaling came from. Please beware that this may break a few valid calls where this condition isn't met.

You can download the new version from
https://www.gnugk.org/h323download.html


Please see the full change log below.

Changes from 4.6 to 4.7
  • fixes for RTP Bleed
  • new switch [Proxy] RestrictRTPSources=IP or Net to limit accepting RTP from the call signal IPs or the respective class C network
  • new switch [Proxy] LegacyPortDetection=1 to keep port detection help for some very old and broken endpoints that will make your gatekeeper vulnerable to RTP Bleed attacks
  • BUGFIX(ProxyChannel.cxx) replace @ip or ip## from aliases when using RedirectCallsToGkIP
  • BUGFIX(ProxyChannel.cxx) better initialization of sendmsg() structs
  • new command line option: now you can use -S instead of --strict (needed on BSD systems)

Monday, September 4, 2017

GNU Gatekeeper 4.6 is out

I'm happy to announce that GNU Gatekeeper version 4.6 has just been
released.

This version has a few new features as well as bug fixes.

New features:
  • least used routing: distribute calls evenly between gateways or MCUs (new switch [RasSrv::ARQFeatures] LeastUsedRouting=1)
  • ability to log to the Unix syslog instead of the trace file (new switch [LogFile] TraceToSyslog=1)
  • new authentication module TwoAliasAuth this is not very safe, but you can use it with endpoints that do not support any password transmission
  • new switch [CTI::MakeCall] Bandwidth= to set the maximum bandwidth  for the calls generated by the GnuGk status port API
  • new status port command: UnregisterEP <ep-id>
  • a number of switches to fine tune TCP keepalives
  • new switch to remove load balancers from the call path ([RoutedMode] RedirectCallsToGkIP=1)

Bug fixes:
  • fixed TCP keepalive for H.460 calls (important!)
  • fixes to port detection for unregistered calls
  • audio fix when GnuGk adds encryption to calls
  • many smaller fixes

You can download the new version from
https://www.gnugk.org/h323download.html


Please see the full change log below.

Changes from 4.5 to 4.6

  • new switch: [RoutedMode] RedirectCallsToGkIP=1
  • new switches: [RoutedMode] H460KeepAliveMethodH225=, H460KeepAliveMethodH245=, GnuGkTcpKeepAliveMethodH225=, GnuGkTcpKeepAliveMethodH245=
  • BUGFIX(ProxyChannel.cxx) TCP keep-alives for H.460.18 calls weren't always  enabled correctly
  • don't open a status port listener if [Gatekeeper::Main] StatusPort=0
  • BUGFIX(Toolkit.cxx) remove trailing chars before checking for DefaultDomain
  • add callID to H.245 trace messages for easier debugging
  • BUGFIX(ProxyChannel.cxx) forward ReleaseComplete from remaining party while doing call reroute
  • BUGFIX(ProxyChannel.cxx) drop un-en/decryptable RTP packets at end of call  when adding encryption
  • new status port command: UnregisterEP <ep-id>
  • BUGFIX(RasSrv.cxx) remove IPv6 addresses before processing RRQs when IPv6 is not enabled
  • send Facility message as as non-H.460.18 keep-alive for H.225
  • send non-standard H.245 userIndication as non-H.460.18 keep-alive for H.245
  • new switch [RoutedMode] DisableGnuGkH245TcpKeepAlive=1
  • new switch [LogFile] TraceToSyslog=1 to send trace output to syslog (Unix only)
  • BUGFIX(ProxyChannel.cxx) fix port detection for re-opened channels with IgnoreSignaledIPs=1
  • new switch [CTI::MakeCall] Bandwidth= to set the maximum bandwidth for the call
  • new switch [RasSrv::ARQFeatures] LeastUsedRouting=1 to select the least used gateway
  • new authentication module TwoAliasAuth