Asterisk Project Security Advisory -
+-----------------------------------------------------------
-------------+
| Product |
Asterisk |
|--------------------+--------------------------------------
-------------|
| Summary | Resource Exhaustion vulnerability
in IAX2
channel |
| |
driver |
|--------------------+--------------------------------------
-------------|
| Nature of Advisory | Denial of
Service |
|--------------------+--------------------------------------
-------------|
| Susceptibility | Remote Unauthenticated
Sessions |
|--------------------+--------------------------------------
-------------|
| Severity |
Moderate |
|--------------------+--------------------------------------
-------------|
| Exploits Known |
No |
|--------------------+--------------------------------------
-------------|
| Reported On | July 19,
2007 |
|--------------------+--------------------------------------
-------------|
| Reported By | Russell Bryant, Digium, Inc.
<russell digium.com> |
|--------------------+--------------------------------------
-------------|
| Posted On | July 23,
2007 |
|--------------------+--------------------------------------
-------------|
| Last Updated On | July 23,
2007 |
|--------------------+--------------------------------------
-------------|
| Advisory Contact | Russell Bryant
<russelldigium.com> |
|--------------------+--------------------------------------
-------------|
| CVE Name
| |
+-----------------------------------------------------------
-------------+
+-----------------------------------------------------------
-------------+
| Description | The IAX2 channel driver in Asterisk is
vulnerable to
a |
| | Denial of Service attack when configured
to
allow |
| | unauthenticated calls. An attacker can
send a flood
of |
| | NEW packets for valid extensions to the
server
to |
| | initiate calls as the unauthenticated
user. This
will |
| | cause resources on the Asterisk system to
get
allocated |
| | that will never go away. Furthermore, the
IAX2
channel |
| | driver will be stuck trying to
reschedule |
| | retransmissions for each of these fake
calls
for |
| | forever. This can very quickly bring down
a system
and |
| | the only way to recover is to restart
Asterisk. |
|
|
|
| | Detailed
Explanation: |
|
|
|
| | Within the last few months, we made some
changes
to |
| | chan_iax2 to combat the abuse of this
module for
traffic |
| | amplification attacks. Unfortunately,
this has caused
an |
| | unintended side
effect. |
|
|
|
| | The summary of the change to combat
traffic |
| | amplification is this. Once you start the
PBX on
the |
| | Asterisk channel, it will begin receiving
frames to
be |
| | sent back out to the network. We delayed
this
from |
| | happening until a 3-way handshake has
occurred to
help |
| | ensure that we are talking to the IP
address
the |
| | messages appear to be coming
from. |
|
|
|
| | When chan_iax2 accepts an unauthenticated
call,
it |
| | immediately creates the ast_channel for
the
call. |
| | However, since the 3-way handshake has
not
been |
| | completed, the PBX is not started on this
channel. |
|
|
|
| | Later, when the maximum number of retries
have
been |
| | exceeded on responses to this NEW, the
code tries
to |
| | hang up the call. Now, it has 2 ways to
do
this, |
| | depending on if there is an ast_channel
related to
this |
| | IAX2 session or not. If there is no
channel, then it
can |
| | just destroy the iax2 private structure
and move on.
If |
| | there is a channel, it queues a HANGUP
frame,
and |
| | expects that to make the ast_channel get
torn
down, |
| | which would then cause the pvt struct to
get
destroyed |
| |
afterwords. |
|
|
|
| | However, since there was no PBX started
on this
channel, |
| | there is nothing servicing the channel to
receive
the |
| | HANGUP frame. Therefore, the call never
gets
destroyed. |
| | To make things worse, there is some code
continuously |
| | rescheduling PINGs and LAGRQs to be sent
for the
active |
| | IAX2 call, which will always
fail. |
|
|
|
| | In summary, sending a bunch of NEW frames
to
request |
| | unauthenticated calls can make a server
unusable
within |
| | a matter of
seconds. |
+-----------------------------------------------------------
-------------+
+-----------------------------------------------------------
-------------+
| Resolution | The default configuration that is
distributed
with |
| | Asterisk includes a guest account that
allows |
| | unauthenticated calls. If this account and
any
other |
| | account without a password is disabled for
IAX2, then
the |
| | system is not vulnerable to this
problem. |
|
|
|
| | For systems that continue to allow
unauthenticated
IAX2 |
| | calls, they must be updated to one of the
versions
listed |
| | as including the fix
below. |
+-----------------------------------------------------------
-------------+
+-----------------------------------------------------------
-------------+
| Affected
Versions |
|-----------------------------------------------------------
-------------|
| Product | Release
| |
| | Series
| |
|----------------------------+-------------+----------------
-------------|
| Asterisk Open Source | 1.0.x | Not
affected |
|----------------------------+-------------+----------------
-------------|
| Asterisk Open Source | 1.2.x | 1.2.20,
1.2.21,
1.2.21.1, |
| | |
1.2.22 |
|----------------------------+-------------+----------------
-------------|
| Asterisk Open Source | 1.4.x | 1.4.5,
1.4.6,
1.4.7, |
| | | 1.4.7.1,
1.4.8 |
|----------------------------+-------------+----------------
-------------|
| Asterisk Business Edition | A.x.x | Not
affected |
|----------------------------+-------------+----------------
-------------|
| Asterisk Business Edition | B.x.x | Not
affected |
|----------------------------+-------------+----------------
-------------|
| AsteriskNOW | pre-release |
beta6 |
|----------------------------+-------------+----------------
-------------|
| Asterisk Appliance | 0.x.x |
0.5.0 |
| Developer Kit |
| |
|----------------------------+-------------+----------------
-------------|
| s800i (Asterisk Appliance) | 1.0.x | 1.0.0-beta5
up to
and |
| | | including
1.0.2 |
+-----------------------------------------------------------
-------------+
+-----------------------------------------------------------
-------------+
| Corrected
In |
|-----------------------------------------------------------
-------------|
| Product |
Release |
|----------------------+------------------------------------
-------------|
| Asterisk Open Source | 1.2.23 and 1.4.9, available for
download
from |
| |
http://ftp.digium.
com/pub/asterisk |
|----------------------+------------------------------------
-------------|
| AsteriskNOW | Beta6, available
from |
| | http://www.asterisknow.o
rg/. Users can
update |
| | using the system update
feature in
the |
| | appliance control
panel. |
|----------------------+------------------------------------
-------------|
| Asterisk Appliance | 0.6.0, available for
download
from |
| Developer Kit |
http://ftp.digium.com/
pub/aadk |
|----------------------+------------------------------------
-------------|
| s800i (Asterisk |
1.0.3 |
| Appliance)
| |
+-----------------------------------------------------------
-------------+
+-----------------------------------------------------------
-------------+
| Links
| |
+-----------------------------------------------------------
-------------+
+-----------------------------------------------------------
-------------+
| Asterisk Project Security Advisories are posted
at |
|
http://www.asterisk
.org/security. |
|
|
| This document may be superseded by later versions; if
so, the
latest |
| version will be posted at
http://ftp.digium
.com/pub/asa/.pdf. |
+-----------------------------------------------------------
-------------+
+-----------------------------------------------------------
-------------+
| Revision
History |
|-----------------------------------------------------------
-------------|
| Date | Editor |
Revisions
Made |
|-------------------+-------------------------+-------------
-------------|
| July 23, 2007 | russelldigium.com | Initial
Release |
+-----------------------------------------------------------
-------------+
Asterisk Project Security Advisory -
Copyright (c) 2007 Digium, Inc. All Rights
Reserved.
Permission is hereby granted to distribute and publish
this advisory
in its
original, unaltered form.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.c
om--
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
|
