AST-2009-006: IAX2 Call Number Resource Exhaustion Sep 03 2009 10:47PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2009-006

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | IAX2 Call Number Resource Exhaustion |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Denial of Service |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote unauthenticated sessions |
|--------------------+--------------------------------------------------
-|
| Severity | Major |
|--------------------+--------------------------------------------------
-|
| Exploits Known | Yes - Published by Blake Cornell < blake AT |
| | remoteorigin DOT com > on voip0day.com |
|--------------------+--------------------------------------------------
-|
| Reported On | June 22, 2008 |
|--------------------+--------------------------------------------------
-|
| Reported By | Noam Rathaus < noamr AT beyondsecurity DOT com >, |
| | with his SSD program, also by Blake Cornell |
|--------------------+--------------------------------------------------
-|
| Posted On | September 3, 2009 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | September 3, 2009 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Russell Bryant < russell AT digium DOT com > |
|--------------------+--------------------------------------------------
-|
| CVE Name | CVE-2009-2346 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | The IAX2 protocol uses a call number to associate |
| | messages with the call that they belong to. However, the |
| | protocol defines the call number field in messages as a |
| | fixed size 15 bit field. So, if all call numbers are in |
| | use, no additional sessions can be handled. |
| | |
| | A call number gets created at the start of an IAX2 |
| | message exchange. So, an attacker can send a large |
| | number of messages and consume the call number space. |
| | The attack is also possible using spoofed source IP |
| | addresses as no handshake is required before a call |
| | number is assigned. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | Upgrade to a version of Asterisk listed in this document |
| | as containing the IAX2 protocol security enhancements. In |
| | addition to upgrading, administrators should consult the |
| | users guide section of the IAX2 Security document |
| | (IAX2-security.pdf), as well as the sample configuration |
| | file for chan_iax2 that have been distributed with those |
| | releases for assistance with new options that have been |
| | provided. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Discussion | A lot of time was spent trying to come up with a way to |
| | resolve this issue in a way that was completely backwards |
| | compatible. However, the final resolution ended up |
| | requiring a modification to the IAX2 protocol. This |
| | modification is referred to as call token validation. |
| | Call token validation is used as a handshake before call |
| | numbers are assigned to IAX2 connections. |
| | |
| | Call token validation by itself does not resolve the |
| | issue. However, it does allow an IAX2 server to validate |
| | that the source of the messages has not been spoofed. In |
| | addition to call token validation, Asterisk now also has |
| | the ability to limit the amount of call numbers assigned |
| | to a given remote IP address. |
| | |
| | The combination of call token validation and call number |
| | allocation limits is used to mitigate this denial of |
| | service issue. |
| | |
| | An alternative approach to securing IAX2 would be to use |
| | a security layer on top of IAX2, such as DTLS [RFC4347] |
| | or IPsec [RFC4301]. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release Series | |
|----------------------------------+----------------+-------------------
-|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+-------------------
-|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+-------------------
-|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+-------------------
-|
| Asterisk Business Edition | B.x.x | All versions |
|----------------------------------+----------------+-------------------
-|
| Asterisk Business Edition | C.x.x | All versions |
|----------------------------------+----------------+-------------------
-|
| s800i (Asterisk Appliance) | 1.3.x | All versions |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.2.35 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.4.26.2 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.6.0.15 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.6.1.6 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | B.2.5.10 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | C.2.4.3 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | C.3.1.1 |
|---------------------------------------------+-------------------------
-|
| S800i (Asterisk Appliance) | 1.3.0.3 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
------+
| Patches |
|-----------------------------------------------------------------------
------|
| Link |Branch|
|----------------------------------------------------------------------+
------|
|http://downloads.asterisk.org/pub/security/AST-2009-006-1.2.diff.txt |1.2 |
|----------------------------------------------------------------------+
------|
|http://downloads.asterisk.org/pub/security/AST-2009-006-1.4.diff.txt |1.4 |
|----------------------------------------------------------------------+
------|
|http://downloads.asterisk.org/pub/security/AST-2009-006-1.6.0.diff.txt|
1.6.0 |
|----------------------------------------------------------------------+
------|
|http://downloads.asterisk.org/pub/security/AST-2009-006-1.6.1.diff.txt|
1.6.1 |
+-----------------------------------------------------------------------
------+

+-----------------------------------------------------------------------
-+
| Links | http://www.rfc-editor.org/authors/rfc5456.txt |
| | https://issues.asterisk.org/view.php?id=12912 |
| | http://www.beyondsecurity.com/ssd.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-006.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-006.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|------------------+----------------------+-----------------------------
-|
| 2009-09-03 | Russell Bryant | Initial release |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2009-006
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus