Resource exhaustion vulnerability in IAX2 channel driver

2007.08.06
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

Asterisk Project Security Advisory - ASA-2007-018 +----------------------------------------------------------------------- -+ | Product | Asterisk | |--------------------+-------------------------------------------------- -| | Summary | Resource Exhaustion vulnerability in IAX2 channel | | | driver | |--------------------+-------------------------------------------------- -| | Nature of Advisory | Denial of Service | |--------------------+-------------------------------------------------- -| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+-------------------------------------------------- -| | Severity | Moderate | |--------------------+-------------------------------------------------- -| | Exploits Known | No | |--------------------+-------------------------------------------------- -| | Reported On | July 19, 2007 | |--------------------+-------------------------------------------------- -| | Reported By | Russell Bryant, Digium, Inc. <russell (at) digium (dot) com [email concealed]> | |--------------------+-------------------------------------------------- -| | Posted On | July 23, 2007 | |--------------------+-------------------------------------------------- -| | Last Updated On | July 25, 2007 | |--------------------+-------------------------------------------------- -| | Advisory Contact | Russell Bryant <russell (at) digium (dot) com [email concealed]> | |--------------------+-------------------------------------------------- -| | CVE Name | | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Description | The IAX2 channel driver in Asterisk is vulnerable to a | | | Denial of Service attack when configured to allow | | | unauthenticated calls. An attacker can send a flood of | | | NEW packets for valid extensions to the server to | | | initiate calls as the unauthenticated user. This will | | | cause resources on the Asterisk system to get allocated | | | that will never go away. Furthermore, the IAX2 channel | | | driver will be stuck trying to reschedule | | | retransmissions for each of these fake calls forever. | | | This can very quickly bring down a system and the only | | | way to recover is to restart Asterisk. | | | | | | Detailed Explanation: | | | | | | Within the last few months, we made some changes to | | | chan_iax2 to combat the abuse of this module for traffic | | | amplification attacks. Unfortunately, this has caused an | | | unintended side effect. | | | | | | The summary of the change to combat traffic | | | amplification is this. Once you start the PBX on the | | | Asterisk channel, it will begin receiving frames to be | | | sent back out to the network. We delayed this from | | | happening until a 3-way handshake has occurred to help | | | ensure that we are talking to the IP address the | | | messages appear to be coming from. | | | | | | When chan_iax2 accepts an unauthenticated call, it | | | immediately creates the ast_channel for the call. | | | However, since the 3-way handshake has not been | | | completed, the PBX is not started on this channel. | | | | | | Later, when the maximum number of retries have been | | | exceeded on responses to this NEW, the code tries to | | | hang up the call. Now, it has 2 ways to do this, | | | depending on if there is an ast_channel related to this | | | IAX2 session or not. If there is no channel, then it can | | | just destroy the iax2 private structure and move on. If | | | there is a channel, it queues a HANGUP frame, and | | | expects that to make the ast_channel get torn down, | | | which would then cause the pvt struct to get destroyed | | | afterwords. | | | | | | However, since there was no PBX started on this channel, | | | there is nothing servicing the channel to receive the | | | HANGUP frame. Therefore, the call never gets destroyed. | | | To make things worse, there is some code continuously | | | rescheduling PINGs and LAGRQs to be sent for the active | | | IAX2 call, which will always fail. | | | | | | In summary, sending a bunch of NEW frames to request | | | unauthenticated calls can make a server unusable within | | | a matter of seconds. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Resolution | The default configuration that is distributed with | | | Asterisk includes a guest account that allows | | | unauthenticated calls. If this account and any other | | | account without a password is disabled for IAX2, then the | | | system is not vulnerable to this problem. | | | | | | For systems that continue to allow unauthenticated IAX2 | | | calls, they must be updated to one of the versions listed | | | as including the fix below. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Affected Versions | |----------------------------------------------------------------------- -| | Product | Release | | | | Series | | |----------------------------+-------------+---------------------------- -| | Asterisk Open Source | 1.0.x | Not affected | |----------------------------+-------------+---------------------------- -| | Asterisk Open Source | 1.2.x | 1.2.20, 1.2.21, 1.2.21.1, | | | | 1.2.22 | |----------------------------+-------------+---------------------------- -| | Asterisk Open Source | 1.4.x | 1.4.5, 1.4.6, 1.4.7, | | | | 1.4.7.1, 1.4.8 | |----------------------------+-------------+---------------------------- -| | Asterisk Business Edition | A.x.x | Not affected | |----------------------------+-------------+---------------------------- -| | Asterisk Business Edition | B.x.x | Not affected | |----------------------------+-------------+---------------------------- -| | AsteriskNOW | pre-release | beta6 | |----------------------------+-------------+---------------------------- -| | Asterisk Appliance | 0.x.x | 0.5.0 | | Developer Kit | | | |----------------------------+-------------+---------------------------- -| | s800i (Asterisk Appliance) | 1.0.x | 1.0.0-beta5 up to and | | | | including 1.0.2 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Corrected In | |----------------------------------------------------------------------- -| | Product | Release | |---------------+------------------------------------------------------- -| | Asterisk Open | 1.2.23 and 1.4.9, available for download from | | Source | http://ftp.digium.com/pub/asterisk | |---------------+------------------------------------------------------- -| | AsteriskNOW | Beta6, available from | | | [LINK][LINK]http://www.asterisknow.org/[LINK][LINK]. | | | Users can update using the system update feature in | | | the appliance control panel. | |---------------+------------------------------------------------------- -| | Asterisk | 0.6.0, available for download from | | Appliance | http://ftp.digium.com/pub/aadk | | Developer Kit | | |---------------+------------------------------------------------------- -| | s800i | 1.0.3 | | (Asterisk | | | Appliance) | | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Links | | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Asterisk Project Security Advisories are posted at | | [LINK][LINK]http://www.asterisk.org/security[LINK][LINK]. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://ftp.digium.com/pub/asa/ASA-2007-018.pdf. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Revision History | |----------------------------------------------------------------------- -| | Date | Editor | Revisions Made | |-------------------+-------------------------+------------------------- -| | July 23, 2007 | russell (at) digium (dot) com [email concealed] | Initial Release | +----------------------------------------------------------------------- -+ Asterisk Project Security Advisory - ASA-2007-018 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top