Asterisk Project Security Advisory - +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Resource Exhaustion vulnerability in IAX2 channel | | | driver | |--------------------+---------------------------------------------------| | Nature of Advisory | Denial of Service | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Moderate | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | July 19, 2007 | |--------------------+---------------------------------------------------| | Reported By | Russell Bryant, Digium, Inc. <russell at digium.com> | |--------------------+---------------------------------------------------| | Posted On | July 23, 2007 | |--------------------+---------------------------------------------------| | Last Updated On | July 23, 2007 | |--------------------+---------------------------------------------------| | Advisory Contact | Russell Bryant <russell at digium.com> | |--------------------+---------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | The IAX2 channel driver in Asterisk is vulnerable to a | | | Denial of Service attack when configured to allow | | | unauthenticated calls. An attacker can send a flood of | | | NEW packets for valid extensions to the server to | | | initiate calls as the unauthenticated user. This will | | | cause resources on the Asterisk system to get allocated | | | that will never go away. Furthermore, the IAX2 channel | | | driver will be stuck trying to reschedule | | | retransmissions for each of these fake calls for | | | forever. This can very quickly bring down a system and | | | the only way to recover is to restart Asterisk. | | | | | | Detailed Explanation: | | | | | | Within the last few months, we made some changes to | | | chan_iax2 to combat the abuse of this module for traffic | | | amplification attacks. Unfortunately, this has caused an | | | unintended side effect. | | | | | | The summary of the change to combat traffic | | | amplification is this. Once you start the PBX on the | | | Asterisk channel, it will begin receiving frames to be | | | sent back out to the network. We delayed this from | | | happening until a 3-way handshake has occurred to help | | | ensure that we are talking to the IP address the | | | messages appear to be coming from. | | | | | | When chan_iax2 accepts an unauthenticated call, it | | | immediately creates the ast_channel for the call. | | | However, since the 3-way handshake has not been | | | completed, the PBX is not started on this channel. | | | | | | Later, when the maximum number of retries have been | | | exceeded on responses to this NEW, the code tries to | | | hang up the call. Now, it has 2 ways to do this, | | | depending on if there is an ast_channel related to this | | | IAX2 session or not. If there is no channel, then it can | | | just destroy the iax2 private structure and move on. If | | | there is a channel, it queues a HANGUP frame, and | | | expects that to make the ast_channel get torn down, | | | which would then cause the pvt struct to get destroyed | | | afterwords. | | | | | | However, since there was no PBX started on this channel, | | | there is nothing servicing the channel to receive the | | | HANGUP frame. Therefore, the call never gets destroyed. | | | To make things worse, there is some code continuously | | | rescheduling PINGs and LAGRQs to be sent for the active | | | IAX2 call, which will always fail. | | | | | | In summary, sending a bunch of NEW frames to request | | | unauthenticated calls can make a server unusable within | | | a matter of seconds. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | The default configuration that is distributed with | | | Asterisk includes a guest account that allows | | | unauthenticated calls. If this account and any other | | | account without a password is disabled for IAX2, then the | | | system is not vulnerable to this problem. | | | | | | For systems that continue to allow unauthenticated IAX2 | | | calls, they must be updated to one of the versions listed | | | as including the fix below. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------+-------------+-----------------------------| | Asterisk Open Source | 1.0.x | Not affected | |----------------------------+-------------+-----------------------------| | Asterisk Open Source | 1.2.x | 1.2.20, 1.2.21, 1.2.21.1, | | | | 1.2.22 | |----------------------------+-------------+-----------------------------| | Asterisk Open Source | 1.4.x | 1.4.5, 1.4.6, 1.4.7, | | | | 1.4.7.1, 1.4.8 | |----------------------------+-------------+-----------------------------| | Asterisk Business Edition | A.x.x | Not affected | |----------------------------+-------------+-----------------------------| | Asterisk Business Edition | B.x.x | Not affected | |----------------------------+-------------+-----------------------------| | AsteriskNOW | pre-release | beta6 | |----------------------------+-------------+-----------------------------| | Asterisk Appliance | 0.x.x | 0.5.0 | | Developer Kit | | | |----------------------------+-------------+-----------------------------| | s800i (Asterisk Appliance) | 1.0.x | 1.0.0-beta5 up to and | | | | including 1.0.2 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |----------------------+-------------------------------------------------| | Asterisk Open Source | 1.2.23 and 1.4.9, available for download from | | | http://ftp.digium.com/pub/asterisk | |----------------------+-------------------------------------------------| | AsteriskNOW | Beta6, available from | | | http://www.asterisknow.org/. Users can update | | | using the system update feature in the | | | appliance control panel. | |----------------------+-------------------------------------------------| | Asterisk Appliance | 0.6.0, available for download from | | Developer Kit | http://ftp.digium.com/pub/aadk | |----------------------+-------------------------------------------------| | s800i (Asterisk | 1.0.3 | | Appliance) | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at http://ftp.digium.com/pub/asa/.pdf. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-------------------+-------------------------+--------------------------| | July 23, 2007 | russell at digium.com | Initial Release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.