Asterisk Project Security Advisory - AST-2009-006 +----------------------------------------------------------------------- -+ | Product | Asterisk | |--------------------+-------------------------------------------------- -| | Summary | IAX2 Call Number Resource Exhaustion | |--------------------+-------------------------------------------------- -| | Nature of Advisory | Denial of Service | |--------------------+-------------------------------------------------- -| | Susceptibility | Remote unauthenticated sessions | |--------------------+-------------------------------------------------- -| | Severity | Major | |--------------------+-------------------------------------------------- -| | Exploits Known | Yes - Published by Blake Cornell < blake AT | | | remoteorigin DOT com > on voip0day.com | |--------------------+-------------------------------------------------- -| | Reported On | June 22, 2008 | |--------------------+-------------------------------------------------- -| | Reported By | Noam Rathaus < noamr AT beyondsecurity DOT com >, | | | with his SSD program, also by Blake Cornell | |--------------------+-------------------------------------------------- -| | Posted On | September 3, 2009 | |--------------------+-------------------------------------------------- -| | Last Updated On | September 3, 2009 | |--------------------+-------------------------------------------------- -| | Advisory Contact | Russell Bryant < russell AT digium DOT com > | |--------------------+-------------------------------------------------- -| | CVE Name | CVE-2009-2346 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Description | The IAX2 protocol uses a call number to associate | | | messages with the call that they belong to. However, the | | | protocol defines the call number field in messages as a | | | fixed size 15 bit field. So, if all call numbers are in | | | use, no additional sessions can be handled. | | | | | | A call number gets created at the start of an IAX2 | | | message exchange. So, an attacker can send a large | | | number of messages and consume the call number space. | | | The attack is also possible using spoofed source IP | | | addresses as no handshake is required before a call | | | number is assigned. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Resolution | Upgrade to a version of Asterisk listed in this document | | | as containing the IAX2 protocol security enhancements. In | | | addition to upgrading, administrators should consult the | | | users guide section of the IAX2 Security document | | | (IAX2-security.pdf), as well as the sample configuration | | | file for chan_iax2 that have been distributed with those | | | releases for assistance with new options that have been | | | provided. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Discussion | A lot of time was spent trying to come up with a way to | | | resolve this issue in a way that was completely backwards | | | compatible. However, the final resolution ended up | | | requiring a modification to the IAX2 protocol. This | | | modification is referred to as call token validation. | | | Call token validation is used as a handshake before call | | | numbers are assigned to IAX2 connections. | | | | | | Call token validation by itself does not resolve the | | | issue. However, it does allow an IAX2 server to validate | | | that the source of the messages has not been spoofed. In | | | addition to call token validation, Asterisk now also has | | | the ability to limit the amount of call numbers assigned | | | to a given remote IP address. | | | | | | The combination of call token validation and call number | | | allocation limits is used to mitigate this denial of | | | service issue. | | | | | | An alternative approach to securing IAX2 would be to use | | | a security layer on top of IAX2, such as DTLS [RFC4347] | | | or IPsec [RFC4301]. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Affected Versions | |----------------------------------------------------------------------- -| | Product | Release Series | | |----------------------------------+----------------+------------------- -| | Asterisk Open Source | 1.2.x | All versions | |----------------------------------+----------------+------------------- -| | Asterisk Open Source | 1.4.x | All versions | |----------------------------------+----------------+------------------- -| | Asterisk Open Source | 1.6.x | All versions | |----------------------------------+----------------+------------------- -| | Asterisk Business Edition | B.x.x | All versions | |----------------------------------+----------------+------------------- -| | Asterisk Business Edition | C.x.x | All versions | |----------------------------------+----------------+------------------- -| | s800i (Asterisk Appliance) | 1.3.x | All versions | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Corrected In | |----------------------------------------------------------------------- -| | Product | Release | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.2.35 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.4.26.2 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.6.0.15 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.6.1.6 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | B.2.5.10 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | C.2.4.3 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | C.3.1.1 | |---------------------------------------------+------------------------- -| | S800i (Asterisk Appliance) | 1.3.0.3 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- ------+ | Patches | |----------------------------------------------------------------------- ------| | Link |Branch| |----------------------------------------------------------------------+ ------| |http://downloads.asterisk.org/pub/security/AST-2009-006-1.2.diff.txt |1.2 | |----------------------------------------------------------------------+ ------| |http://downloads.asterisk.org/pub/security/AST-2009-006-1.4.diff.txt |1.4 | |----------------------------------------------------------------------+ ------| |http://downloads.asterisk.org/pub/security/AST-2009-006-1.6.0.diff.txt| 1.6.0 | |----------------------------------------------------------------------+ ------| |http://downloads.asterisk.org/pub/security/AST-2009-006-1.6.1.diff.txt| 1.6.1 | +----------------------------------------------------------------------- ------+ +----------------------------------------------------------------------- -+ | Links | http://www.rfc-editor.org/authors/rfc5456.txt | | | https://issues.asterisk.org/view.php?id=12912 | | | http://www.beyondsecurity.com/ssd.html | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-006.pdf and | | http://downloads.digium.com/pub/security/AST-2009-006.html | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Revision History | |----------------------------------------------------------------------- -| | Date | Editor | Revisions Made | |------------------+----------------------+----------------------------- -| | 2009-09-03 | Russell Bryant | Initial release | +----------------------------------------------------------------------- -+ Asterisk Project Security Advisory - AST-2009-006 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.