[VulnWatch] ASA-2007-018: Resource exhaustion vulnerability in IAX2 channel driver

From: Security Response Team (security@private)
Date: Sun Jul 29 2007 - 16:39:18 PDT


               Asterisk Project Security Advisory - ASA-2007-018

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Resource Exhaustion vulnerability in IAX2 channel |
   |                    | driver                                            |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 19, 2007                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Russell Bryant, Digium, Inc. <russell@private> |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 23, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 25, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Russell Bryant <russell@private>               |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The IAX2 channel driver in Asterisk is vulnerable to a   |
   |             | Denial of Service attack when configured to allow        |
   |             | unauthenticated calls. An attacker can send a flood of   |
   |             | NEW packets for valid extensions to the server to        |
   |             | initiate calls as the unauthenticated user. This will    |
   |             | cause resources on the Asterisk system to get allocated  |
   |             | that will never go away. Furthermore, the IAX2 channel   |
   |             | driver will be stuck trying to reschedule                |
   |             | retransmissions for each of these fake calls forever.    |
   |             | This can very quickly bring down a system and the only   |
   |             | way to recover is to restart Asterisk.                   |
   |             |                                                          |
   |             | Detailed Explanation:                                    |
   |             |                                                          |
   |             | Within the last few months, we made some changes to      |
   |             | chan_iax2 to combat the abuse of this module for traffic |
   |             | amplification attacks. Unfortunately, this has caused an |
   |             | unintended side effect.                                  |
   |             |                                                          |
   |             | The summary of the change to combat traffic              |
   |             | amplification is this. Once you start the PBX on the     |
   |             | Asterisk channel, it will begin receiving frames to be   |
   |             | sent back out to the network. We delayed this from       |
   |             | happening until a 3-way handshake has occurred to help   |
   |             | ensure that we are talking to the IP address the         |
   |             | messages appear to be coming from.                       |
   |             |                                                          |
   |             | When chan_iax2 accepts an unauthenticated call, it       |
   |             | immediately creates the ast_channel for the call.        |
   |             | However, since the 3-way handshake has not been          |
   |             | completed, the PBX is not started on this channel.       |
   |             |                                                          |
   |             | Later, when the maximum number of retries have been      |
   |             | exceeded on responses to this NEW, the code tries to     |
   |             | hang up the call. Now, it has 2 ways to do this,         |
   |             | depending on if there is an ast_channel related to this  |
   |             | IAX2 session or not. If there is no channel, then it can |
   |             | just destroy the iax2 private structure and move on. If  |
   |             | there is a channel, it queues a HANGUP frame, and        |
   |             | expects that to make the ast_channel get torn down,      |
   |             | which would then cause the pvt struct to get destroyed   |
   |             | afterwords.                                              |
   |             |                                                          |
   |             | However, since there was no PBX started on this channel, |
   |             | there is nothing servicing the channel to receive the    |
   |             | HANGUP frame. Therefore, the call never gets destroyed.  |
   |             | To make things worse, there is some code continuously    |
   |             | rescheduling PINGs and LAGRQs to be sent for the active  |
   |             | IAX2 call, which will always fail.                       |
   |             |                                                          |
   |             | In summary, sending a bunch of NEW frames to request     |
   |             | unauthenticated calls can make a server unusable within  |
   |             | a matter of seconds.                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | The default configuration that is distributed with        |
   |            | Asterisk includes a guest account that allows             |
   |            | unauthenticated calls. If this account and any other      |
   |            | account without a password is disabled for IAX2, then the |
   |            | system is not vulnerable to this problem.                 |
   |            |                                                           |
   |            | For systems that continue to allow unauthenticated IAX2   |
   |            | calls, they must be updated to one of the versions listed |
   |            | as including the fix below.                               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | 1.2.20, 1.2.21, 1.2.21.1,   |
   |                            |             | 1.2.22                      |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | 1.4.5, 1.4.6, 1.4.7,        |
   |                            |             | 1.4.7.1, 1.4.8              |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    A.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    B.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |        AsteriskNOW         | pre-release | beta6                       |
   |----------------------------+-------------+-----------------------------|
   |     Asterisk Appliance     |    0.x.x    | 0.5.0                       |
   |       Developer Kit        |             |                             |
   |----------------------------+-------------+-----------------------------|
   | s800i (Asterisk Appliance) |    1.0.x    | 1.0.0-beta5 up to and       |
   |                            |             | including 1.0.2             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |    Product    |                        Release                         |
   |---------------+--------------------------------------------------------|
   | Asterisk Open |     1.2.23 and 1.4.9, available for download from      |
   |    Source     |           http://ftp.digium.com/pub/asterisk           |
   |---------------+--------------------------------------------------------|
   |  AsteriskNOW  |                 Beta6, available from                  |
   |               |  [LINK][LINK]http://www.asterisknow.org/[LINK][LINK].  |
   |               |  Users can update using the system update feature in   |
   |               |              the appliance control panel.              |
   |---------------+--------------------------------------------------------|
   |   Asterisk    |           0.6.0, available for download from           |
   |   Appliance   |             http://ftp.digium.com/pub/aadk             |
   | Developer Kit |                                                        |
   |---------------+--------------------------------------------------------|
   |     s800i     |                         1.0.3                          |
   |   (Asterisk   |                                                        |
   |  Appliance)   |                                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | [LINK][LINK]http://www.asterisk.org/security[LINK][LINK].              |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://ftp.digium.com/pub/asa/ASA-2007-018.pdf.                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |         Editor          |      Revisions Made      |
   |-------------------+-------------------------+--------------------------|
   | July 23, 2007     | russell@private      | Initial Release          |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-018
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.



This archive was generated by hypermail 2.1.3 : Tue Jul 31 2007 - 11:10:59 PDT