copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2007.0946 -- [UNIX/Linux] -- Resource Exhaustion vulnerability in IAX2 channel driver

Date: 10 August 2007
References: ESB-2007.0969  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                       ESB-2007.0946 -- [UNIX/Linux]
         Resource Exhaustion vulnerability in IAX2 channel driver
                              10 August 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Asterisk Open Source 1.4.8 and prior
                      Asterisk Open Source 1.2.22 and prior
                      AsteriskNOW beta6 and prior
                      Asterisk Appliance Developer Kit 0.5.0 and prior
                      s800i (Asterisk Appliance) 1.0.2 and prior
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-4103 

Original Bulletin:    http://ftp.digium.com/pub/asa/ASA-2007-018.pdf

Revision History:  August 10 2007: Added CVE Names
                     July 31 2007: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

               Asterisk Project Security Advisory - ASA-2007-018

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Resource Exhaustion vulnerability in IAX2 channel |
   |                    | driver                                            |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 19, 2007                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Russell Bryant, Digium, Inc. <russell@digium.com> |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 23, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 25, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Russell Bryant <russell@digium.com>               |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The IAX2 channel driver in Asterisk is vulnerable to a   |
   |             | Denial of Service attack when configured to allow        |
   |             | unauthenticated calls. An attacker can send a flood of   |
   |             | NEW packets for valid extensions to the server to        |
   |             | initiate calls as the unauthenticated user. This will    |
   |             | cause resources on the Asterisk system to get allocated  |
   |             | that will never go away. Furthermore, the IAX2 channel   |
   |             | driver will be stuck trying to reschedule                |
   |             | retransmissions for each of these fake calls forever.    |
   |             | This can very quickly bring down a system and the only   |
   |             | way to recover is to restart Asterisk.                   |
   |             |                                                          |
   |             | Detailed Explanation:                                    |
   |             |                                                          |
   |             | Within the last few months, we made some changes to      |
   |             | chan_iax2 to combat the abuse of this module for traffic |
   |             | amplification attacks. Unfortunately, this has caused an |
   |             | unintended side effect.                                  |
   |             |                                                          |
   |             | The summary of the change to combat traffic              |
   |             | amplification is this. Once you start the PBX on the     |
   |             | Asterisk channel, it will begin receiving frames to be   |
   |             | sent back out to the network. We delayed this from       |
   |             | happening until a 3-way handshake has occurred to help   |
   |             | ensure that we are talking to the IP address the         |
   |             | messages appear to be coming from.                       |
   |             |                                                          |
   |             | When chan_iax2 accepts an unauthenticated call, it       |
   |             | immediately creates the ast_channel for the call.        |
   |             | However, since the 3-way handshake has not been          |
   |             | completed, the PBX is not started on this channel.       |
   |             |                                                          |
   |             | Later, when the maximum number of retries have been      |
   |             | exceeded on responses to this NEW, the code tries to     |
   |             | hang up the call. Now, it has 2 ways to do this,         |
   |             | depending on if there is an ast_channel related to this  |
   |             | IAX2 session or not. If there is no channel, then it can |
   |             | just destroy the iax2 private structure and move on. If  |
   |             | there is a channel, it queues a HANGUP frame, and        |
   |             | expects that to make the ast_channel get torn down,      |
   |             | which would then cause the pvt struct to get destroyed   |
   |             | afterwords.                                              |
   |             |                                                          |
   |             | However, since there was no PBX started on this channel, |
   |             | there is nothing servicing the channel to receive the    |
   |             | HANGUP frame. Therefore, the call never gets destroyed.  |
   |             | To make things worse, there is some code continuously    |
   |             | rescheduling PINGs and LAGRQs to be sent for the active  |
   |             | IAX2 call, which will always fail.                       |
   |             |                                                          |
   |             | In summary, sending a bunch of NEW frames to request     |
   |             | unauthenticated calls can make a server unusable within  |
   |             | a matter of seconds.                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | The default configuration that is distributed with        |
   |            | Asterisk includes a guest account that allows             |
   |            | unauthenticated calls. If this account and any other      |
   |            | account without a password is disabled for IAX2, then the |
   |            | system is not vulnerable to this problem.                 |
   |            |                                                           |
   |            | For systems that continue to allow unauthenticated IAX2   |
   |            | calls, they must be updated to one of the versions listed |
   |            | as including the fix below.                               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | 1.2.20, 1.2.21, 1.2.21.1,   |
   |                            |             | 1.2.22                      |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | 1.4.5, 1.4.6, 1.4.7,        |
   |                            |             | 1.4.7.1, 1.4.8              |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    A.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    B.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |        AsteriskNOW         | pre-release | beta6                       |
   |----------------------------+-------------+-----------------------------|
   |     Asterisk Appliance     |    0.x.x    | 0.5.0                       |
   |       Developer Kit        |             |                             |
   |----------------------------+-------------+-----------------------------|
   | s800i (Asterisk Appliance) |    1.0.x    | 1.0.0-beta5 up to and       |
   |                            |             | including 1.0.2             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |    Product    |                        Release                         |
   |---------------+--------------------------------------------------------|
   | Asterisk Open |     1.2.23 and 1.4.9, available for download from      |
   |    Source     |           http://ftp.digium.com/pub/asterisk           |
   |---------------+--------------------------------------------------------|
   |  AsteriskNOW  |                 Beta6, available from                  |
   |               |  [LINK][LINK]http://www.asterisknow.org/[LINK][LINK].  |
   |               |  Users can update using the system update feature in   |
   |               |              the appliance control panel.              |
   |---------------+--------------------------------------------------------|
   |   Asterisk    |           0.6.0, available for download from           |
   |   Appliance   |             http://ftp.digium.com/pub/aadk             |
   | Developer Kit |                                                        |
   |---------------+--------------------------------------------------------|
   |     s800i     |                         1.0.3                          |
   |   (Asterisk   |                                                        |
   |  Appliance)   |                                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | [LINK][LINK]http://www.asterisk.org/security[LINK][LINK].              |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://ftp.digium.com/pub/asa/ASA-2007-018.pdf.                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |         Editor          |      Revisions Made      |
   |-------------------+-------------------------+--------------------------|
   | July 23, 2007     | russell@digium.com      | Initial Release          |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-018
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRru88Sh9+71yA2DNAQLPkwP7BqvZpW5IYppx9J/XY1YZGlA1t/ZCmjWc
YVjGjWos9QvMT+WqYpaWsFt1jvfDf2r9r8lP9c4FLZWSKpM3jlaSNTokS+EAiJhv
x12F09vaVnDNIhZLu2rUGUy8IaiAzReDLQ0NWDqiuE1IeKOLdyzLtlAFLWS13Iml
VM7PDkHAUjg=
=p4Ls
-----END PGP SIGNATURE-----