IAX2 Call Number Resource Exhaustion

2009.09.09
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

Asterisk Project Security Advisory - AST-2009-006 +----------------------------------------------------------------------- -+ | Product | Asterisk | |--------------------+-------------------------------------------------- -| | Summary | IAX2 Call Number Resource Exhaustion | |--------------------+-------------------------------------------------- -| | Nature of Advisory | Denial of Service | |--------------------+-------------------------------------------------- -| | Susceptibility | Remote unauthenticated sessions | |--------------------+-------------------------------------------------- -| | Severity | Major | |--------------------+-------------------------------------------------- -| | Exploits Known | Yes - Published by Blake Cornell < blake AT | | | remoteorigin DOT com > on voip0day.com | |--------------------+-------------------------------------------------- -| | Reported On | June 22, 2008 | |--------------------+-------------------------------------------------- -| | Reported By | Noam Rathaus < noamr AT beyondsecurity DOT com >, | | | with his SSD program, also by Blake Cornell | |--------------------+-------------------------------------------------- -| | Posted On | September 3, 2009 | |--------------------+-------------------------------------------------- -| | Last Updated On | September 3, 2009 | |--------------------+-------------------------------------------------- -| | Advisory Contact | Russell Bryant < russell AT digium DOT com > | |--------------------+-------------------------------------------------- -| | CVE Name | CVE-2009-2346 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Description | The IAX2 protocol uses a call number to associate | | | messages with the call that they belong to. However, the | | | protocol defines the call number field in messages as a | | | fixed size 15 bit field. So, if all call numbers are in | | | use, no additional sessions can be handled. | | | | | | A call number gets created at the start of an IAX2 | | | message exchange. So, an attacker can send a large | | | number of messages and consume the call number space. | | | The attack is also possible using spoofed source IP | | | addresses as no handshake is required before a call | | | number is assigned. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Resolution | Upgrade to a version of Asterisk listed in this document | | | as containing the IAX2 protocol security enhancements. In | | | addition to upgrading, administrators should consult the | | | users guide section of the IAX2 Security document | | | (IAX2-security.pdf), as well as the sample configuration | | | file for chan_iax2 that have been distributed with those | | | releases for assistance with new options that have been | | | provided. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Discussion | A lot of time was spent trying to come up with a way to | | | resolve this issue in a way that was completely backwards | | | compatible. However, the final resolution ended up | | | requiring a modification to the IAX2 protocol. This | | | modification is referred to as call token validation. | | | Call token validation is used as a handshake before call | | | numbers are assigned to IAX2 connections. | | | | | | Call token validation by itself does not resolve the | | | issue. However, it does allow an IAX2 server to validate | | | that the source of the messages has not been spoofed. In | | | addition to call token validation, Asterisk now also has | | | the ability to limit the amount of call numbers assigned | | | to a given remote IP address. | | | | | | The combination of call token validation and call number | | | allocation limits is used to mitigate this denial of | | | service issue. | | | | | | An alternative approach to securing IAX2 would be to use | | | a security layer on top of IAX2, such as DTLS [RFC4347] | | | or IPsec [RFC4301]. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Affected Versions | |----------------------------------------------------------------------- -| | Product | Release Series | | |----------------------------------+----------------+------------------- -| | Asterisk Open Source | 1.2.x | All versions | |----------------------------------+----------------+------------------- -| | Asterisk Open Source | 1.4.x | All versions | |----------------------------------+----------------+------------------- -| | Asterisk Open Source | 1.6.x | All versions | |----------------------------------+----------------+------------------- -| | Asterisk Business Edition | B.x.x | All versions | |----------------------------------+----------------+------------------- -| | Asterisk Business Edition | C.x.x | All versions | |----------------------------------+----------------+------------------- -| | s800i (Asterisk Appliance) | 1.3.x | All versions | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Corrected In | |----------------------------------------------------------------------- -| | Product | Release | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.2.35 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.4.26.2 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.6.0.15 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.6.1.6 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | B.2.5.10 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | C.2.4.3 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | C.3.1.1 | |---------------------------------------------+------------------------- -| | S800i (Asterisk Appliance) | 1.3.0.3 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- ------+ | Patches | |----------------------------------------------------------------------- ------| | Link |Branch| |----------------------------------------------------------------------+ ------| |http://downloads.asterisk.org/pub/security/AST-2009-006-1.2.diff.txt |1.2 | |----------------------------------------------------------------------+ ------| |http://downloads.asterisk.org/pub/security/AST-2009-006-1.4.diff.txt |1.4 | |----------------------------------------------------------------------+ ------| |http://downloads.asterisk.org/pub/security/AST-2009-006-1.6.0.diff.txt| 1.6.0 | |----------------------------------------------------------------------+ ------| |http://downloads.asterisk.org/pub/security/AST-2009-006-1.6.1.diff.txt| 1.6.1 | +----------------------------------------------------------------------- ------+ +----------------------------------------------------------------------- -+ | Links | http://www.rfc-editor.org/authors/rfc5456.txt | | | https://issues.asterisk.org/view.php?id=12912 | | | http://www.beyondsecurity.com/ssd.html | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-006.pdf and | | http://downloads.digium.com/pub/security/AST-2009-006.html | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Revision History | |----------------------------------------------------------------------- -| | Date | Editor | Revisions Made | |------------------+----------------------+----------------------------- -| | 2009-09-03 | Russell Bryant | Initial release | +----------------------------------------------------------------------- -+ Asterisk Project Security Advisory - AST-2009-006 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

References:

http://www.securityfocus.com/bid/36275
http://www.securityfocus.com/archive/1/archive/1/506257/100/0/threaded
http://securitytracker.com/id?1022819
http://secunia.com/advisories/36593
http://downloads.asterisk.org/pub/security/AST-2009-006.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top