[asterisk-users] Possible Security issue with Kamailio - Asterisk Realtime integration

Barry Flanagan barryf-lists at flanagan.ie
Mon Feb 11 07:21:32 CST 2013


I have an installation based on Daniel-Constantin Mierla's excellent
Kamailio 3.3 / Asterisk 10 Realtime document (
but have come across an issue which is a potential problem.

In this installation all SIP clients register with Kamailio, and the
registrations are forwarded to Asterisk. This means that all registered
clients (stored in sipregs table) have the same IP address and Port: that
of the Kamailio server. The "secret" which Asterisk reads is empty to avoid
Asterisk issuing a challenge.

I have discovered that if a client successfully registers with Kamailio,
but for whatever reason this user is not in the database Asterisk is
accessing - say for example if two MySQL slaves are out of sync - and then
sends an INVITE, Asterisk ends up picking the first user in sipregs which
shares the same IP and Port as the incoming request and treats this as the
Caller. Of course in our scenario there will be many of these because all
clients are registered from Kamailio's IP/Port.

For example, here is the sequence of database queries Asterisk performs
when a client with a From of 101864 attempts to make a call:

SELECT * FROM ast_sipusers WHERE name = '101864' AND host = 'dynamic'
SELECT * FROM ast_sipusers WHERE name = '101864'
SELECT * FROM ast_sipusers WHERE host = '' AND port = '5060' AND
callbackextension = '014373500'

OK, the above are fine. Asterisk looks for a user, and a callback exten.

SELECT * FROM ast_sipusers WHERE host = '' AND port = '5060'

Now Asterisk looks for a peer. Still OK.

SELECT * FROM ast_sipregs WHERE ipaddr = '' AND port = '5060'

Here Asterisk is checking sipregs for ANY entry with the IP and Port of
Kamailio. In this case it finds the first such user, 485833

SELECT * FROM ast_sipusers WHERE name = '485833'

Now Asterisk treats this call as if it was coming from 485833, which is
totally wrong and very bad.

Does anyone know what I would need to do in order to ensure that Asterisk
rejects the call attempt if it does not find an exact username match?


-Barry Flanagan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130211/9cf83033/attachment.htm>

More information about the asterisk-users mailing list