Background: What is an RTP Bleed attack ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

now that hopefully everybody has updated to GnuGk 4.7 here is a little
bit of background information on the latest security update:

RTP bleed is an attack that allows the attacker to redirect the RTP
media stream (or parts of it) to his own IP without even having to
manipulate any IP routing or being in a man-in-the-middle position.
It also has good potential to mount a denial of service attack.

This vulnerability is not specific to GnuGk or H.323. It exists in a
number of telephony products and RTP proxies. recently Asterisk was
found to be vulnerable.

How is this attack possible ?

Originally H.323 announced all the ports that it intended to use inside
the signaling and all was well. Then came firewalls and today most
endpoints live on private IPs and have no idea what their public IP
might be or which port the NAT router assigns then.

Thus H.323 introduced port detection in the form or H.460.19 which only
works with registered endpoints and GnuGk extends that to unregistered
endpoints with the IgnoreSignaledIPs=1 switch.

This works very well, but it means that GnuGk has to listen to RTP
from any IP address and then send RTP for the other direction to what
ever IP the sender appears to have. An attacker can now try to send its
own RTP packets and trick GnuGk into believing they come from the call
participants. And thats really easy, since RTP itself doesn't carry any
form of authentication.
When receiving such a malicious RTP packet at the right time, GnuGk
would thus send the media stream to the attacker.

The first step to reducing the attack surface is to stop allowing
incoming RTP packets to change the send destination after the initial
port detection is done. GnuGk has always done this for H.460.19, but
not for unregistered calls until version 4.7.

Unfortunately this still leaves the possibility for an attacker to
try to send RTP packets before the real call participants do. And
since RTP is UDP, it can easily be sent with a spoofed source address
to turn this into a hard do defend against denial of service attack.

Since H.323 doesn't make any requirements where RTP will come from,
you can't defend against this remaining vulnerability without
disrupting some valid configurations.

But is most cases RTP will come from the same IP or at least the same
network where the signaling comes from. Thus GnuGk introduces a new
switch in version 4.7 so you can tell GnuGk to only accept RTP from
these IPs (RestrictRTPSources=Net). Thus an attacker would have to be
inside the calling parties network to cause harm which is way more
difficult that to be just anywhere on the internet.

If you use a load balancer or routed mode gatekeepers distributed over
multiple networks, you need to take more elaborate steps to secure
your network, but the vast majority of users should be able to secure
their configurations with RestrictRTPSources=Net. Since we violate the
H.323 standard a bit here, the switch is off by default and you will
need to set it explicitly.

I hope this clarifies the issue and explains why you should update and
secure your configuration!

References:
https://rtpbleed.com/
https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-asterisk-rtp-bleed

-- 
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail  : jan@xxxxxxxxxxxxxx
Website: https://www.gnugk.org
Support: https://www.willamowius.com/gnugk-support.html

Relaxed Communications GmbH
Frahmredder 91
22393 Hamburg
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
USt-IdNr: DE286003584

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/




[Index of Archives]     [SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Yosemite News]

  Powered by Linux