BugTraq
AST-2008-011: Traffic amplification in IAX2 firmware provisioning system Jul 22 2008 11:16PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2008-011

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | Traffic amplification in IAX2 firmware |
| | provisioning system |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Traffic amplification attack |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote unauthenticated sessions |
|--------------------+--------------------------------------------------
-|
| Severity | Critical |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | July 18, 2008 |
|--------------------+--------------------------------------------------
-|
| Reported By | Tilghman Lesher < tlesher AT digium DOT com > |
|--------------------+--------------------------------------------------
-|
| Posted On | July 22, 2008 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | July 22, 2008 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|--------------------+--------------------------------------------------
-|
| CVE Name | CVE-2008-3264 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | An attacker may request an Asterisk server to send part |
| | of a firmware image. However, as this firmware download |
| | protocol does not initiate a handshake, the source |
| | address may be spoofed. Therefore, an IAX2 FWDOWNL |
| | request for a firmware file may consume as little as 40 |
| | bytes, yet produces a 1040 byte response. Coupled with |
| | multiple geographically diverse Asterisk servers, an |
| | attacker may flood an victim site with unwanted firmware |
| | packets. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Workaround | The only device which used this firmware upgrade |
| | procedure was the IAXy ATA device, and the last firmware |
| | upgrade was more than 18 months ago. It is unlikely that |
| | any IAXy devices in use today still need the last |
| | firmware upgrade. Therefore, deleting the firmware image |
| | from the directory where it is served from and sending a |
| | reload event to the Asterisk server is sufficient to |
| | purge the firmware image from the Asterisk server's |
| | memory. An Asterisk server which is unable to serve out |
| | the requested firmware image will reply to any such |
| | request with a much smaller REJECT packet, which is |
| | smaller than even the FWDOWNL packet. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | This firmware download procedure has been disabled by |
| | default in Asterisk. If you should still need to upgrade |
| | IAXys in the field, there is an option 'allowfwdownload' |
| | which can be enabled. However, due to the reasons |
| | specified on the Workaround section, it is recommended |
| | that you leave this option disabled and enable it only on |
| | secure internal networks when an IAXy is initially |
| | provisioned. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.30 |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.21.2 |
|----------------------------------+-------------+----------------------
-|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------------+-------------+----------------------
-|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.5.4 |
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | C.x.x | All versions prior to |
| | | C.1.10.3 |
|----------------------------------+-------------+----------------------
-|
| AsteriskNOW | pre-release | All versions |
|----------------------------------+-------------+----------------------
-|
| Asterisk Appliance Developer Kit | 0.x.x | All versions |
|----------------------------------+-------------+----------------------
-|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.2.0.1 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.2.30 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.4.21.2 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | B.2.5.4 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | C.1.10.3 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | C.2.0.3 |
|---------------------------------------------+-------------------------
-|
| s800i (Asterisk Appliance) | 1.2.0.1 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Links | |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-011.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-011.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-----------------+--------------------+--------------------------------
-|
| July 22, 2008 | Tilghman Lesher | Initial release |
|-----------------+--------------------+--------------------------------
-|
| July 22, 2008 | Tilghman Lesher | Revised C.1 version numbers |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2008-011
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus