[asterisk-bugs] [JIRA] (ASTERISK-22738) "Security denial" error in calls from H323 trunk (ooh323.c)

[Gabriele Odone (JIRA)]

     [ https://issues.asterisk.org/jira/browse/ASTERISK-22738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gabriele Odone updated ASTERISK-22738:
--------------------------------------

    Description: 
Environment: Asterisk 11.4
Attempting H.323 trunk integration with a H323 Gateway ("Polycom CMA") using ooh323 module.

When placing H323 calls from the H323 Gateway, the call goes through the trunk (as shown by tcpdump on Asterisk server) but is rejected by Asterisk with the following error in /var/log/asterisk/h323_log

==================
10:40:28:564 ERROR: Security denial remote sig IP isn't a socket ip, 10.44.1.156 not 10.71.0.55 (incoming, ooh323c_1)
10:40:28:565 ERROR:Failed ooH2250Receive - Clearing call (incoming, ooh323c_1)
==================

In this log, 10.44.1.156 being IP address of H323 client registered to Polycom CMA, 10.71.0.55 being the address of Polycom CMA.

tcpdump shows "disengageRequest" H.225 sent by Asterisk to Polycom CMA.

I solved this problem by commenting these lines in ooh323.c and recompiling:

========================
   if (strncmp(remoteIP, call->remoteIP, strlen(remoteIP))) {
     OOTRACEERR5("ERROR: Security denial remote sig IP isn't a socket ip, %s not %s "
		     "(%s, %s)\n", remoteIP, call->remoteIP, call->callType, 
		     call->callToken);
     return OO_FAILED;
   }
========================

Same code on the latest 12.0 beta.

I suppose this check is made for security reasons, but as you can see it blocks legitimate calls, thus making the trunk useless.
I think a cofiguration parameter should be introduced to disable the check.

I will attach the tcpdump. 10.71.0.55 being the address of Polycom CMA, 10.100.202.88 Asterisk server.

Thanks

Kind Regards,

Gabriele Odone

  was:
Environment: Asterisk 11.4
Attempting H.323 trunk integration with a H323 Gateway ("Polycom CMA") using ooh323 module.

When placing H323 calls from the H323 Gateway, the call goes through the trunk (as shown by tcpdump on Asterisk server) but is rejected by Asterisk with the following error in /var/log/asterisk/h323_log

==================
10:40:28:564 ERROR: Security denial remote sig IP isn't a socket ip, 10.44.1.156 not 10.71.0.55 (incoming, ooh323c_1)
10:40:28:565 ERROR:Failed ooH2250Receive - Clearing call (incoming, ooh323c_1)
==================

In this log, 10.44.1.156 being IP address of H323 client registered to Polycom CMA, 10.71.0.55 being the address of Polycom CMA.

tcpdump shows "disengageRequest" H.225 sent by Asterisk to Polycom CMA.

I solved this problem by commenting these lines in ooh323.c and recompiling:

========================
   if (strncmp(remoteIP, call->remoteIP, strlen(remoteIP))) {
     OOTRACEERR5("ERROR: Security denial remote sig IP isn't a socket ip, %s not %s "
		     "(%s, %s)\n", remoteIP, call->remoteIP, call->callType, 
		     call->callToken);
     return OO_FAILED;
   }
========================

I suppose this check is made for security reasons, but as you can see it blocks legitimate calls, thus making the trunk useless.
I think a cofiguration parameter should be introduced to disable the check.

I will attach the tcpdump. 10.71.0.55 being the address of Polycom CMA, 10.100.202.88 Asterisk server.

Thanks

Kind Regards,

Gabriele Odone

    
> "Security denial" error in calls from H323 trunk (ooh323.c)
> -----------------------------------------------------------
>
>                 Key: ASTERISK-22738
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22738
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Addons/chan_ooh323
>    Affects Versions: 11.4.0, 11.5.1, 12.0.0-beta1
>         Environment: Linux RH 5.5
>            Reporter: Gabriele Odone
>         Attachments: h323.pcap
>
>
> Environment: Asterisk 11.4
> Attempting H.323 trunk integration with a H323 Gateway ("Polycom CMA") using ooh323 module.
> When placing H323 calls from the H323 Gateway, the call goes through the trunk (as shown by tcpdump on Asterisk server) but is rejected by Asterisk with the following error in /var/log/asterisk/h323_log
> ==================
> 10:40:28:564 ERROR: Security denial remote sig IP isn't a socket ip, 10.44.1.156 not 10.71.0.55 (incoming, ooh323c_1)
> 10:40:28:565 ERROR:Failed ooH2250Receive - Clearing call (incoming, ooh323c_1)
> ==================
> In this log, 10.44.1.156 being IP address of H323 client registered to Polycom CMA, 10.71.0.55 being the address of Polycom CMA.
> tcpdump shows "disengageRequest" H.225 sent by Asterisk to Polycom CMA.
> I solved this problem by commenting these lines in ooh323.c and recompiling:
> ========================
>    if (strncmp(remoteIP, call->remoteIP, strlen(remoteIP))) {
>      OOTRACEERR5("ERROR: Security denial remote sig IP isn't a socket ip, %s not %s "
> 		     "(%s, %s)\n", remoteIP, call->remoteIP, call->callType, 
> 		     call->callToken);
>      return OO_FAILED;
>    }
> ========================
> Same code on the latest 12.0 beta.
> I suppose this check is made for security reasons, but as you can see it blocks legitimate calls, thus making the trunk useless.
> I think a cofiguration parameter should be introduced to disable the check.
> I will attach the tcpdump. 10.71.0.55 being the address of Polycom CMA, 10.100.202.88 Asterisk server.
> Thanks
> Kind Regards,
> Gabriele Odone

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira