[asterisk-bugs] [Asterisk 0016226]: 1.4.26.3 security issue - Chinese IPs somehow are making calls without authentication
Asterisk Bug Tracker
noreply at bugs.digium.com
Thu Nov 12 00:50:37 CST 2009
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=16226
======================================================================
Reported By: faxguy
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 16226
Category: Channels/chan_sip/General
Reproducibility: always
Severity: minor
Priority: normal
Status: new
Asterisk Version: 1.4.26.3
JIRA:
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2009-11-11 17:15 CST
Last Modified: 2009-11-12 00:50 CST
======================================================================
Summary: 1.4.26.3 security issue - Chinese IPs somehow are
making calls without authentication
Description:
This is from the CLI. I don't know who 113.105.15.56 is, but for at least
a week now they've (that whole Class C network) been making calls out
through my Asterisk system without authentication. I don't know how...
-- Executing [011441616604001 at default:1]
Dial("SIP/113.105.152.56-08e4b3a8",
"IAX2/obfuscated-user:obfuscated-pass at voip-co2.teliax.com/011441616604001")
in new stack
-- Called
obfuscated-user:obfuscated-pass at voip-co2.teliax.com/011441616604001
-- Call accepted by 63.211.239.28 (format ulaw)
-- Format for call is ulaw
-- IAX2/63.211.239.28:4569-15287 is ringing
-- IAX2/63.211.239.28:4569-15287 stopped sounds
-- IAX2/63.211.239.28:4569-15287 answered SIP/113.105.152.56-08e4b3a8
-- Hungup 'IAX2/63.211.239.28:4569-15287'
== Spawn extension (default, 011441616604001, 1) exited non-zero on
'SIP/113.105.152.56-08e4b3a8'
To remedy this I have simply firewalled out their IP range. But I'd like
to fix the problem with the SIP driver directly.
======================================================================
----------------------------------------------------------------------
(0113703) faxguy (reporter) - 2009-11-12 00:50
https://issues.asterisk.org/view.php?id=16226#c113703
----------------------------------------------------------------------
I do not have any allowguest entry in my sip.conf file.
And now I see that allowguest defaults to yes. (?!?!?!?!)
How incredibly insane that is. So, by default Asterisk allows anyone to
place calls via SIP without authentication.
I've now set allowguest=no in my [general] section of sip.conf, but let me
second the opinion that this is an incredibly insecure default setting.
Issue History
Date Modified Username Field Change
======================================================================
2009-11-12 00:50 faxguy Note Added: 0113703
======================================================================
More information about the asterisk-bugs
mailing list