[asterisk-dev] ASA-2007-018: Resource Exhaustion vulnerability in IAX2 channel driver
July 25, 2007
Asterisk Project Security Advisory -
+------------------------------------------------------------------------+
| Product |
Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Resource Exhaustion vulnerability in IAX2
channel |
| |
driver |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Denial of
Service |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated
Sessions |
|--------------------+---------------------------------------------------|
| Severity |
Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known |
No |
|--------------------+---------------------------------------------------|
| Reported On | July 19,
2007 |
|--------------------+---------------------------------------------------|
| Reported By | Russell Bryant, Digium, Inc.
|--------------------+---------------------------------------------------|
| Posted On | July 23,
2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | July 23,
2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Russell Bryant
|--------------------+---------------------------------------------------|
| CVE Name
| |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The IAX2 channel driver in Asterisk is vulnerable to
a |
| | Denial of Service attack when configured to
allow |
| | unauthenticated calls. An attacker can send a flood
of |
| | NEW packets for valid extensions to the server
to |
| | initiate calls as the unauthenticated user. This
will |
| | cause resources on the Asterisk system to get
allocated |
| | that will never go away. Furthermore, the IAX2
channel |
| | driver will be stuck trying to
reschedule |
| | retransmissions for each of these fake calls
for |
| | forever. This can very quickly bring down a system
and |
| | the only way to recover is to restart
Asterisk. |
|
| |
| | Detailed
Explanation: |
|
| |
| | Within the last few months, we made some changes
to |
| | chan_iax2 to combat the abuse of this module for
traffic |
| | amplification attacks. Unfortunately, this has caused
an |
| | unintended side
effect. |
|
| |
| | The summary of the change to combat
traffic |
| | amplification is this. Once you start the PBX on
the |
| | Asterisk channel, it will begin receiving frames to
be |
| | sent back out to the network. We delayed this
from |
| | happening until a 3-way handshake has occurred to
help |
| | ensure that we are talking to the IP address
the |
| | messages appear to be coming
from. |
|
| |
| | When chan_iax2 accepts an unauthenticated call,
it |
| | immediately creates the ast_channel for the
call. |
| | However, since the 3-way handshake has not
been |
| | completed, the PBX is not started on this
channel. |
|
| |
| | Later, when the maximum number of retries have
been |
| | exceeded on responses to this NEW, the code tries
to |
| | hang up the call. Now, it has 2 ways to do
this, |
| | depending on if there is an ast_channel related to
this |
| | IAX2 session or not. If there is no channel, then it
can |
| | just destroy the iax2 private structure and move on.
If |
| | there is a channel, it queues a HANGUP frame,
and |
| | expects that to make the ast_channel get torn
down, |
| | which would then cause the pvt struct to get
destroyed |
| |
afterwords. |
|
| |
| | However, since there was no PBX started on this
channel, |
| | there is nothing servicing the channel to receive
the |
| | HANGUP frame. Therefore, the call never gets
destroyed. |
| | To make things worse, there is some code
continuously |
| | rescheduling PINGs and LAGRQs to be sent for the
active |
| | IAX2 call, which will always
fail. |
|
| |
| | In summary, sending a bunch of NEW frames to
request |
| | unauthenticated calls can make a server unusable
within |
| | a matter of
seconds. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | The default configuration that is distributed
with |
| | Asterisk includes a guest account that
allows |
| | unauthenticated calls. If this account and any
other |
| | account without a password is disabled for IAX2, then
the |
| | system is not vulnerable to this
problem. |
|
| |
| | For systems that continue to allow unauthenticated
IAX2 |
| | calls, they must be updated to one of the versions
listed |
| | as including the fix
below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected
Versions |
|------------------------------------------------------------------------|
| Product | Release
| |
| | Series
| |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.0.x | Not
affected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.2.x | 1.2.20, 1.2.21,
1.2.21.1, |
| | |
1.2.22 |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.4.x | 1.4.5, 1.4.6,
1.4.7, |
| | | 1.4.7.1,
1.4.8 |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | A.x.x | Not
affected |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | B.x.x | Not
affected |
|----------------------------+-------------+-----------------------------|
| AsteriskNOW | pre-release |
beta6 |
|----------------------------+-------------+-----------------------------|
| Asterisk Appliance | 0.x.x |
0.5.0 |
| Developer Kit |
| |
|----------------------------+-------------+-----------------------------|
| s800i (Asterisk Appliance) | 1.0.x | 1.0.0-beta5 up to
and |
| | | including
1.0.2 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected
In |
|------------------------------------------------------------------------|
| Product |
Release |
|----------------------+-------------------------------------------------|
| Asterisk Open Source | 1.2.23 and 1.4.9, available for download
from |
| |
http://ftp.digium.com/pub/asterisk |
|----------------------+-------------------------------------------------|
| AsteriskNOW | Beta6, available
from |
| | http://www.asterisknow.org/. Users can
update |
| | using the system update feature in
the |
| | appliance control
panel. |
|----------------------+-------------------------------------------------|
| Asterisk Appliance | 0.6.0, available for download
from |
| Developer Kit |
http://ftp.digium.com/pub/aadk |
|----------------------+-------------------------------------------------|
| s800i (Asterisk |
1.0.3 |
| Appliance)
| |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links
| |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted
at |
|
http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the
latest |
| version will be posted at
http://ftp.digium.com/pub/asa/.pdf. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision
History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions
Made |
|-------------------+-------------------------+--------------------------|
| July 23, 2007 | russell@digium.com | Initial
Release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory -
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory
in its
original, unaltered form.
[asterisk-dev] Asterisk 1.2.23 and 1.4.9 released
July 25, 2007
The Asterisk development team has released Asterisk versions 1.2.23 and 1.4.9.
These releases contain bug fixes, including one for a security vulnerability. The vulnerability is a potential Denial of Service attack when the Asterisk IAX2 channel driver is configured to allow unauthenticated calls.
We have released an Asterisk Security Advisory for the vulnerability. The current version of the advisory can be downloaded from the ftp site.
http://ftp.digium.com/pub/asa/ASA-2007-018.pdf
* Affected systems include all Asterisk installations running an affected version
that allow unauthenticated IAX2 calls. Affected open source versions include
1.2.20 through 1.2.22, and 1.4.5 through 1.4.8.
All users that have systems that meet the criteria listed above should
upgrade as soon as possible.
Thank you very much for your support.
[asterisk-biz] Voix Manager beta 2 released
July 23, 2007
Hello
Voix Manager Beta 2.2 has been released, we have added a new
template so is now possible to organize the extensions in groups, for
every group is possible turn on/off the visibility. We have changed
the click behavior on the extensions from double click to one click,
this is useful for touchscreen users. More improvements in the
graphic layout and in the tootips, and fixed some bugs.
you can download it here:
http://www.voix.it/en/articoli/articoli/voix-manager-download.php
Try it and send me your opinions
Luciano
[jadmin] jabberd-2.1.10 release
July 22, 2007
Another day, another jabberd 2.1 series release.
Get 2.1.10 release as usual at:
http://ftp.xiaoka.com/jabberd2/releases/jabberd-2.1.10.tar.gz
http://ftp.xiaoka.com/jabberd2/releases/jabberd-2.1.10.tar.bz2
and read: http://svn.xiaoka.com/jabberd2/trunk/UPGRADE
There are only some minor changes.
One new feature: roster items limitation option.
One new change: ./configure script does not fall to other than GnuSASL implementations.
If you want to use unsupported backend, you need to enforce it.
ChangeLog:
* Removed SASL backend fallbacks
* Added roster items limit option. Closes #89
* Added count support in SQLite3 backend
For a full ChangeLog see:
http://svn.xiaoka.com/jabberd2/trunk/ChangeLog
[jadmin] jabberd-2.1.9 release
July 22, 2007
It's time for another jabberd 2.1 series release.
Get 2.1.9 release as usual at:
http://ftp.xiaoka.com/jabberd2/releases/jabberd-2.1.9.tar.gz
http://ftp.xiaoka.com/jabberd2/releases/jabberd-2.1.9.tar.bz2
and read: http://svn.xiaoka.com/jabberd2/trunk/UPGRADE
There are some new features in.
ChangeLog:
* Added jabber:x:oob redirection support during in-band registration
* Logging JID on disconnection
* Added counting packets on c2s and s2s connections
* Added TLS indicator for c2s and s2s logs. Closes #108
* Added type='log' to ComponentProtocol
For a full ChangeLog see:
http://svn.xiaoka.com/jabberd2/trunk/ChangeLog
[asterisk-users] AstLinux 0.4.7
July 22, 2007
Hello Everyone,
I have released AstLinux 0.4.7. This release includes Asterisk
1.2.22. More here:
http://www.astlinux.org/node/26
[asterisk-biz] Idefisk softphone – official 2.0 release – Zoiper
July 22, 2007
Hello guys,
The so expected 2.0 release of Idefisk 2.0 softphone is a fact.
Idefisk and Zoiper became one - Zoiper 2.06.
Here are some of the features: SIP and IAX, TCP, TLS support,
Multi-language support, Automatic provisioning (XML), URL handling,
Outlook Integration, Native conferencing, API, Changeable number of
lines....
You could read the complete Press Release here:
http://www.zoiper.com/press.php
For more information please visit http://zoiper.com
