[Asterisk-Security] ISS IAX2 DoS Vulnerability Response

[Kevin P. Fleming]

Recently, ISS posted a report about a Denial of Service vulnerability in
Asterisk's IAX2 implementation. This vulnerability exists in all
existing IAX2 implementations that accept incoming calls (not just
Asterisk), and relates to the amount of time that a pending (but not yet
authenticated) call is allowed to exist in memory on the server.

In response to this report, we recently released Asterisk 1.2.10, which
provides a configuration option that the administrator can use to combat
this activity. This option is called 'maxauthreq' and is available at
the global level and for type=user entries in iax.conf (it is not needed
for type=peer entries, since peers cannot place calls into the Asterisk
server). Since this is a release branch of Asterisk, we were not
comfortable changing the default behavior, so this new option defaults
to zero, which means there is no limit in place.

We urge all users with Asterisk servers connected to public (or
otherwise uncontrolled) networks to upgrade to Asterisk 1.2.10 and set
this configuration option to a reasonable value; for most IAX2 user
accounts a value of three will be more than adequate. If the user
attempts to place more calls than are allowed with providing
authentication information for some of them, the additional requests
will be denied without requesting authentication information and without
preserving the call information in memory for the normal period of time.

In the Asterisk 1.4 release which will be coming soon, this option will
default to three for all installations, and the administrator will need
to override it to allow more simultaneous unauthenticated calls.

We want to thank ISS for bringing this vulnerability to our attention
and allowing us to work on (and release) a fix/workaround prior to
public announcement of the vulnerability.

-- 
Kevin P. Fleming
Senior Software Engineer
Digium, Inc.