[asterisk-dev] Help with recently discovered RTP/RTCP issues

Matt Fredrickson creslin at digium.com
Wed Sep 13 15:01:11 CDT 2017


Hey All,

Many of you may have noticed the most recent security release for
correcting a potential RTP hijacking vulnerability when strictrtp is
enabled in conjunction with certain nat settings.  In reality, it’s
very challenging to get gain and plunder from the bug due to several
mitigation strategies used in Asterisk (random rtp port selection and
large default rtp port range).

Unfortunately after releasing the RTP security patch it was also
determined that the RTCP stream had the same potential stream
hijacking flaw.  In addition, the security patch in question also made
remote address training occur too quickly which has its own potential
unintended consequences.

It was frustrating that we missed these two malfunctions, and so in an
effort to make sure that there are no other known holes, we put fixes
for the two bugs up on gerrit and also took a look back at the RTP RFC
to make sure that our RTP/RTCP stream qualification code doesn’t have
any additional issues.


We’d appreciate anybody that has any interest in this area to lend
some more eyeballs to the reviews in question, as this is a case that
lots of brains could help close these bugs up better.

The reviews in question are:

https://gerrit.asterisk.org/#/c/6443/

For the RTCP hijacking vulnerability, as well as some additional RTCP fixes.

https://gerrit.asterisk.org/#/c/6410/

For the too rapid training bug, as well as any other RTP fixes that we
could find.

Your thoughts and attention would be much appreciated.

-- 
Matthew Fredrickson
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA



More information about the asterisk-dev mailing list