[asterisk-dev] AST-2011-005: File Descriptor Resource Exhaustion
Asterisk Security Team
security at asterisk.org
Thu Apr 21 16:40:25 CDT 2011
Asterisk Project Security Advisory - AST-2011-005
Product Asterisk
Summary File Descriptor Resource Exhaustion
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated TCP Based Sessions (TCP SIP,
Skinny, Asterisk Manager Interface, and HTTP sessions)
Severity Moderate
Exploits Known Yes
Reported On March 18, 2011
Reported By Tzafrir Cohen < tzafrir.cohen AT xorcom DOT com >
Posted On April 21, 2011
Last Updated On April 21, 2011
Advisory Contact Matthew Nicholson <mnicholson at digium.com>
CVE Name CVE-2011-1507
Description On systems that have the Asterisk Manager Interface, Skinny,
SIP over TCP, or the built in HTTP server enabled, it is
possible for an attacker to open as many connections to
asterisk as he wishes. This will cause Asterisk to run out of
available file descriptors and stop processing any new calls.
Additionally, disk space can be exhausted as Asterisk logs
failures to open new file descriptors.
Resolution Asterisk can now limit the number of unauthenticated
connections to each vulnerable interface and can also limit the
time unauthenticated clients will remain connected for some
interfaces. This will prevent vulnerable interfaces from using
up all available file descriptors. Care should be taken when
setting the connection limits so that the combined total of
allowed unauthenticated sessions from each service is not more
than the file descriptor limit for the Asterisk process. The
file descriptor limit can be checked (and set) using the
"ulimit -n" command for the process' limit and the
"/proc/sys/fs/file-max" file (on Linux) for the system's limit.
It will still be possible for an attacker to deny service to
each of the vulnerable services individually. To mitigate this
risk, vulnerable services should be run behind a firewall that
can detect and prevent DoS attacks.
In addition to using a firewall to filter traffic, vulnerable
systems can be protected by disabling the vulnerable services
in their respective configuration files.
Affected Versions
Product Release Series
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.1.x All versions
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Business Edition C.x.x All versions
Corrected In
Product Release
Asterisk Open Source 1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3
Asterisk Business Edition C.3.6.4
Patches
URL Branch
http://downloads.asterisk.org/pub/security/AST-2011-005-1.4.diff 1.4
http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.1.diff 1.6.1
http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.2.diff 1.6.2
http://downloads.asterisk.org/pub/security/AST-2011-005-1.8.diff 1.8
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-005.pdf and
http://downloads.digium.com/pub/security/AST-2011-005.html
Revision History
Date Editor Revisions Made
04/21/11 Matthew Nicholson Initial version
Asterisk Project Security Advisory - AST-2011-005
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
More information about the asterisk-dev
mailing list