<<< Date Index >>>     <<< Thread Index >>>

ASA-2007-018: Resource exhaustion vulnerability in IAX2 channel driver



               Asterisk Project Security Advisory - ASA-2007-018

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Resource Exhaustion vulnerability in IAX2 channel |
   |                    | driver                                            |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 19, 2007                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Russell Bryant, Digium, Inc. <russell@xxxxxxxxxx> |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 23, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 25, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Russell Bryant <russell@xxxxxxxxxx>               |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The IAX2 channel driver in Asterisk is vulnerable to a   |
   |             | Denial of Service attack when configured to allow        |
   |             | unauthenticated calls. An attacker can send a flood of   |
   |             | NEW packets for valid extensions to the server to        |
   |             | initiate calls as the unauthenticated user. This will    |
   |             | cause resources on the Asterisk system to get allocated  |
   |             | that will never go away. Furthermore, the IAX2 channel   |
   |             | driver will be stuck trying to reschedule                |
   |             | retransmissions for each of these fake calls forever.    |
   |             | This can very quickly bring down a system and the only   |
   |             | way to recover is to restart Asterisk.                   |
   |             |                                                          |
   |             | Detailed Explanation:                                    |
   |             |                                                          |
   |             | Within the last few months, we made some changes to      |
   |             | chan_iax2 to combat the abuse of this module for traffic |
   |             | amplification attacks. Unfortunately, this has caused an |
   |             | unintended side effect.                                  |
   |             |                                                          |
   |             | The summary of the change to combat traffic              |
   |             | amplification is this. Once you start the PBX on the     |
   |             | Asterisk channel, it will begin receiving frames to be   |
   |             | sent back out to the network. We delayed this from       |
   |             | happening until a 3-way handshake has occurred to help   |
   |             | ensure that we are talking to the IP address the         |
   |             | messages appear to be coming from.                       |
   |             |                                                          |
   |             | When chan_iax2 accepts an unauthenticated call, it       |
   |             | immediately creates the ast_channel for the call.        |
   |             | However, since the 3-way handshake has not been          |
   |             | completed, the PBX is not started on this channel.       |
   |             |                                                          |
   |             | Later, when the maximum number of retries have been      |
   |             | exceeded on responses to this NEW, the code tries to     |
   |             | hang up the call. Now, it has 2 ways to do this,         |
   |             | depending on if there is an ast_channel related to this  |
   |             | IAX2 session or not. If there is no channel, then it can |
   |             | just destroy the iax2 private structure and move on. If  |
   |             | there is a channel, it queues a HANGUP frame, and        |
   |             | expects that to make the ast_channel get torn down,      |
   |             | which would then cause the pvt struct to get destroyed   |
   |             | afterwords.                                              |
   |             |                                                          |
   |             | However, since there was no PBX started on this channel, |
   |             | there is nothing servicing the channel to receive the    |
   |             | HANGUP frame. Therefore, the call never gets destroyed.  |
   |             | To make things worse, there is some code continuously    |
   |             | rescheduling PINGs and LAGRQs to be sent for the active  |
   |             | IAX2 call, which will always fail.                       |
   |             |                                                          |
   |             | In summary, sending a bunch of NEW frames to request     |
   |             | unauthenticated calls can make a server unusable within  |
   |             | a matter of seconds.                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | The default configuration that is distributed with        |
   |            | Asterisk includes a guest account that allows             |
   |            | unauthenticated calls. If this account and any other      |
   |            | account without a password is disabled for IAX2, then the |
   |            | system is not vulnerable to this problem.                 |
   |            |                                                           |
   |            | For systems that continue to allow unauthenticated IAX2   |
   |            | calls, they must be updated to one of the versions listed |
   |            | as including the fix below.                               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | 1.2.20, 1.2.21, 1.2.21.1,   |
   |                            |             | 1.2.22                      |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | 1.4.5, 1.4.6, 1.4.7,        |
   |                            |             | 1.4.7.1, 1.4.8              |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    A.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    B.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |        AsteriskNOW         | pre-release | beta6                       |
   |----------------------------+-------------+-----------------------------|
   |     Asterisk Appliance     |    0.x.x    | 0.5.0                       |
   |       Developer Kit        |             |                             |
   |----------------------------+-------------+-----------------------------|
   | s800i (Asterisk Appliance) |    1.0.x    | 1.0.0-beta5 up to and       |
   |                            |             | including 1.0.2             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |    Product    |                        Release                         |
   |---------------+--------------------------------------------------------|
   | Asterisk Open |     1.2.23 and 1.4.9, available for download from      |
   |    Source     |           http://ftp.digium.com/pub/asterisk           |
   |---------------+--------------------------------------------------------|
   |  AsteriskNOW  |                 Beta6, available from                  |
   |               |  [LINK][LINK]http://www.asterisknow.org/[LINK][LINK].  |
   |               |  Users can update using the system update feature in   |
   |               |              the appliance control panel.              |
   |---------------+--------------------------------------------------------|
   |   Asterisk    |           0.6.0, available for download from           |
   |   Appliance   |             http://ftp.digium.com/pub/aadk             |
   | Developer Kit |                                                        |
   |---------------+--------------------------------------------------------|
   |     s800i     |                         1.0.3                          |
   |   (Asterisk   |                                                        |
   |  Appliance)   |                                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | [LINK][LINK]http://www.asterisk.org/security[LINK][LINK].              |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://ftp.digium.com/pub/asa/ASA-2007-018.pdf.                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |         Editor          |      Revisions Made      |
   |-------------------+-------------------------+--------------------------|
   | July 23, 2007     | russell@xxxxxxxxxx      | Initial Release          |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-018
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.