[asterisk-bugs] [JIRA] (ASTERISK-27013) res_rtp_asterisk: Media can be hijacked even with strict RTP enabled

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Thu Aug 31 14:30:08 CDT 2017


     [ https://issues.asterisk.org/jira/browse/ASTERISK-27013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Harwell updated ASTERISK-27013:
-------------------------------------

    Security:     (was: Reporter, Bug Marshals, and Digium)

> res_rtp_asterisk: Media can be hijacked even with strict RTP enabled
> --------------------------------------------------------------------
>
>                 Key: ASTERISK-27013
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27013
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 13.15.0, 14.4.0
>            Reporter: Joshua Colp
>            Assignee: Joshua Colp
>      Target Release: 11.25.2, 13.17.1, 14.6.1
>
>
> the commit https://github.com/asterisk/asterisk/commit/80b8c2349c427a94a428670f1183bdc693936813 has made asterisk vulnerable again for RTP/RTCP scanning/stealing/injection attacks (when NAT support is enabled). Version 11.0.4 was the first release to include this, all following versions have this issue (last tested against 14.4.0).
> How to reproduce:
> - set up a SIP friend with NAT support enabled
> - make a call with that SIP peer (i use a minimalistic Playback extension)
> - use rtpnatscan from a remote system (https://github.com/kapejod/rtpnatscan) to scan Asterisk's RTP port range (rtpnatscan will report received RTP packets "received X bytes from target port Y, seq Z")
> Impact:
> - denial of service (with minimal bandwidth requirements)
> - information leakage
> This is what Sandro Gauci has been talking about in his presentation at Kamailio World 2017.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list