[asterisk-security] ASA-2007-018: Resource Exhaustion vulnerability in IAX2 channel driver

The Asterisk Development Team asteriskteam at digium.com
Tue Jul 24 18:26:27 CDT 2007


                      Asterisk Project Security Advisory -

   
+------------------------------------------------------------------------+
   |      Product       | 
Asterisk                                          |
   
|--------------------+---------------------------------------------------|
   |      Summary       | Resource Exhaustion vulnerability in IAX2 
channel |
   |                    | 
driver                                            |
   
|--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of 
Service                                 |
   
|--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated 
Sessions                   |
   
|--------------------+---------------------------------------------------|
   |      Severity      | 
Moderate                                          |
   
|--------------------+---------------------------------------------------|
   |   Exploits Known   | 
No                                                |
   
|--------------------+---------------------------------------------------|
   |    Reported On     | July 19, 
2007                                     |
   
|--------------------+---------------------------------------------------|
   |    Reported By     | Russell Bryant, Digium, Inc. 
<russell at digium.com> |
   
|--------------------+---------------------------------------------------|
   |     Posted On      | July 23, 
2007                                     |
   
|--------------------+---------------------------------------------------|
   |  Last Updated On   | July 23, 
2007                                     |
   
|--------------------+---------------------------------------------------|
   |  Advisory Contact  | Russell Bryant 
<russell at digium.com>               |
   
|--------------------+---------------------------------------------------|
   |      CVE Name      
|                                                   |
   
+------------------------------------------------------------------------+

   
+------------------------------------------------------------------------+
   | Description | The IAX2 channel driver in Asterisk is vulnerable to 
a   |
   |             | Denial of Service attack when configured to 
allow        |
   |             | unauthenticated calls. An attacker can send a flood 
of   |
   |             | NEW packets for valid extensions to the server 
to        |
   |             | initiate calls as the unauthenticated user. This 
will    |
   |             | cause resources on the Asterisk system to get 
allocated  |
   |             | that will never go away. Furthermore, the IAX2 
channel   |
   |             | driver will be stuck trying to 
reschedule                |
   |             | retransmissions for each of these fake calls 
for         |
   |             | forever. This can very quickly bring down a system 
and   |
   |             | the only way to recover is to restart 
Asterisk.          |
   |             
|                                                          |
   |             | Detailed 
Explanation:                                    |
   |             
|                                                          |
   |             | Within the last few months, we made some changes 
to      |
   |             | chan_iax2 to combat the abuse of this module for 
traffic |
   |             | amplification attacks. Unfortunately, this has caused 
an |
   |             | unintended side 
effect.                                  |
   |             
|                                                          |
   |             | The summary of the change to combat 
traffic              |
   |             | amplification is this. Once you start the PBX on 
the     |
   |             | Asterisk channel, it will begin receiving frames to 
be   |
   |             | sent back out to the network. We delayed this 
from       |
   |             | happening until a 3-way handshake has occurred to 
help   |
   |             | ensure that we are talking to the IP address 
the         |
   |             | messages appear to be coming 
from.                       |
   |             
|                                                          |
   |             | When chan_iax2 accepts an unauthenticated call, 
it       |
   |             | immediately creates the ast_channel for the 
call.        |
   |             | However, since the 3-way handshake has not 
been          |
   |             | completed, the PBX is not started on this 
channel.       |
   |             
|                                                          |
   |             | Later, when the maximum number of retries have 
been      |
   |             | exceeded on responses to this NEW, the code tries 
to     |
   |             | hang up the call. Now, it has 2 ways to do 
this,         |
   |             | depending on if there is an ast_channel related to 
this  |
   |             | IAX2 session or not. If there is no channel, then it 
can |
   |             | just destroy the iax2 private structure and move on. 
If  |
   |             | there is a channel, it queues a HANGUP frame, 
and        |
   |             | expects that to make the ast_channel get torn 
down,      |
   |             | which would then cause the pvt struct to get 
destroyed   |
   |             | 
afterwords.                                              |
   |             
|                                                          |
   |             | However, since there was no PBX started on this 
channel, |
   |             | there is nothing servicing the channel to receive 
the    |
   |             | HANGUP frame. Therefore, the call never gets 
destroyed.  |
   |             | To make things worse, there is some code 
continuously    |
   |             | rescheduling PINGs and LAGRQs to be sent for the 
active  |
   |             | IAX2 call, which will always 
fail.                       |
   |             
|                                                          |
   |             | In summary, sending a bunch of NEW frames to 
request     |
   |             | unauthenticated calls can make a server unusable 
within  |
   |             | a matter of 
seconds.                                     |
   
+------------------------------------------------------------------------+

   
+------------------------------------------------------------------------+
   | Resolution | The default configuration that is distributed 
with        |
   |            | Asterisk includes a guest account that 
allows             |
   |            | unauthenticated calls. If this account and any 
other      |
   |            | account without a password is disabled for IAX2, then 
the |
   |            | system is not vulnerable to this 
problem.                 |
   |            
|                                                           |
   |            | For systems that continue to allow unauthenticated 
IAX2   |
   |            | calls, they must be updated to one of the versions 
listed |
   |            | as including the fix 
below.                               |
   
+------------------------------------------------------------------------+

   
+------------------------------------------------------------------------+
   |                           Affected 
Versions                            |
   
|------------------------------------------------------------------------|
   |          Product           |   Release   
|                             |
   |                            |   Series    
|                             |
   
|----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not 
affected                |
   
|----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | 1.2.20, 1.2.21, 
1.2.21.1,   |
   |                            |             | 
1.2.22                      |
   
|----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | 1.4.5, 1.4.6, 
1.4.7,        |
   |                            |             | 1.4.7.1, 
1.4.8              |
   
|----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    A.x.x    | Not 
affected                |
   
|----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    B.x.x    | Not 
affected                |
   
|----------------------------+-------------+-----------------------------|
   |        AsteriskNOW         | pre-release | 
beta6                       |
   
|----------------------------+-------------+-----------------------------|
   |     Asterisk Appliance     |    0.x.x    | 
0.5.0                       |
   |       Developer Kit        |             
|                             |
   
|----------------------------+-------------+-----------------------------|
   | s800i (Asterisk Appliance) |    1.0.x    | 1.0.0-beta5 up to 
and       |
   |                            |             | including 
1.0.2             |
   
+------------------------------------------------------------------------+

   
+------------------------------------------------------------------------+
   |                              Corrected 
In                              |
   
|------------------------------------------------------------------------|
   |       Product        |                     
Release                     |
   
|----------------------+-------------------------------------------------|
   | Asterisk Open Source |  1.2.23 and 1.4.9, available for download 
from  |
   |                      |       
http://ftp.digium.com/pub/asterisk        |
   
|----------------------+-------------------------------------------------|
   |     AsteriskNOW      |              Beta6, available 
from              |
   |                      |  http://www.asterisknow.org/. Users can 
update  |
   |                      |     using the system update feature in 
the      |
   |                      |            appliance control 
panel.             |
   
|----------------------+-------------------------------------------------|
   |  Asterisk Appliance  |       0.6.0, available for download 
from        |
   |    Developer Kit     |         
http://ftp.digium.com/pub/aadk          |
   
|----------------------+-------------------------------------------------|
   |   s800i (Asterisk    |                      
1.0.3                      |
   |      Appliance)      
|                                                 |
   
+------------------------------------------------------------------------+

   
+------------------------------------------------------------------------+
   |        Links        
|                                                  |
   
+------------------------------------------------------------------------+

   
+------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted 
at                     |
   | 
http://www.asterisk.org/security.                                      |
   
|                                                                        |
   | This document may be superseded by later versions; if so, the 
latest   |
   | version will be posted at 
http://ftp.digium.com/pub/asa/.pdf.          |
   
+------------------------------------------------------------------------+

   
+------------------------------------------------------------------------+
   |                            Revision 
History                            |
   
|------------------------------------------------------------------------|
   |       Date        |         Editor          |      Revisions 
Made      |
   
|-------------------+-------------------------+--------------------------|
   | July 23, 2007     | russell at digium.com      | Initial 
Release          |
   
+------------------------------------------------------------------------+

                      Asterisk Project Security Advisory -
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory 
in its
                           original, unaltered form.



More information about the asterisk-security mailing list