<<< Date Index >>>     <<< Thread Index >>>

AST-2008-011: Traffic amplification in IAX2 firmware provisioning system



               Asterisk Project Security Advisory - AST-2008-011

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Traffic amplification in IAX2 firmware            |
   |                    | provisioning system                               |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Traffic amplification attack                      |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthenticated sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 18, 2008                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Tilghman Lesher < tlesher AT digium DOT com >     |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 22, 2008                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 22, 2008                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Tilghman Lesher < tlesher AT digium DOT com >     |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2008-3264                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | An attacker may request an Asterisk server to send part  |
   |             | of a firmware image. However, as this firmware download  |
   |             | protocol does not initiate a handshake, the source       |
   |             | address may be spoofed. Therefore, an IAX2 FWDOWNL       |
   |             | request for a firmware file may consume as little as 40  |
   |             | bytes, yet produces a 1040 byte response. Coupled with   |
   |             | multiple geographically diverse Asterisk servers, an     |
   |             | attacker may flood an victim site with unwanted firmware |
   |             | packets.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Workaround | The only device which used this firmware upgrade          |
   |            | procedure was the IAXy ATA device, and the last firmware  |
   |            | upgrade was more than 18 months ago. It is unlikely that  |
   |            | any IAXy devices in use today still need the last         |
   |            | firmware upgrade. Therefore, deleting the firmware image  |
   |            | from the directory where it is served from and sending a  |
   |            | reload event to the Asterisk server is sufficient to      |
   |            | purge the firmware image from the Asterisk server's       |
   |            | memory. An Asterisk server which is unable to serve out   |
   |            | the requested firmware image will reply to any such       |
   |            | request with a much smaller REJECT packet, which is       |
   |            | smaller than even the FWDOWNL packet.                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | This firmware download procedure has been disabled by     |
   |            | default in Asterisk. If you should still need to upgrade  |
   |            | IAXys in the field, there is an option 'allowfwdownload'  |
   |            | which can be enabled. However, due to the reasons         |
   |            | specified on the Workaround section, it is recommended    |
   |            | that you leave this option disabled and enable it only on |
   |            | secure internal networks when an IAXy is initially        |
   |            | provisioned.                                              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.30                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.21.2              |
   |----------------------------------+-------------+-----------------------|
   |         Asterisk Addons          |    1.2.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |         Asterisk Addons          |    1.4.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | All versions prior to |
   |                                  |             | B.2.5.4               |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    C.x.x    | All versions prior to |
   |                                  |             | C.1.10.3              |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions          |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.2.0.1               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.30          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.21.2         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.4          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.1.10.3         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.0.3          |
   |---------------------------------------------+--------------------------|
   |         s800i (Asterisk Appliance)          |         1.2.0.1          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-011.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-011.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |       Editor       |         Revisions Made          |
   |-----------------+--------------------+---------------------------------|
   | July 22, 2008   | Tilghman Lesher    | Initial release                 |
   |-----------------+--------------------+---------------------------------|
   | July 22, 2008   | Tilghman Lesher    | Revised C.1 version numbers     |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-011
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.