Asterisk IAX2隧道驱动拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189607 漏洞类型 其他
发布时间 2007-07-31 更新时间 2007-08-02
CVE编号 CVE-2007-4103 CNNVD-ID CNNVD-200707-568
漏洞平台 N/A CVSS评分 7.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2007080027
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-568
|漏洞详情
Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。如果配置为允许未经认证的呼叫的话,IAX2隧道驱动中存在拒绝服务漏洞。攻击者可以向服务器的有效扩展发送大量NEW报文以非认证用户的身份初始化呼叫,这会导致将Asterisk系统上的资源分配出去;此外IAX2隧道驱动还会一直试图重新调度每个伪造呼叫的中继,导致很快耗尽系统资源,必须重启Asterisk才能恢复正常运行。
|漏洞EXP
               Asterisk Project Security Advisory - ASA-2007-018

+-----------------------------------------------------------------------
-+
   |      Product       | Asterisk                                          |
   |--------------------+--------------------------------------------------
-|
   |      Summary       | Resource Exhaustion vulnerability in IAX2 channel |
   |                    | driver                                            |
   |--------------------+--------------------------------------------------
-|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+--------------------------------------------------
-|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+--------------------------------------------------
-|
   |      Severity      | Moderate                                          |
   |--------------------+--------------------------------------------------
-|
   |   Exploits Known   | No                                                |
   |--------------------+--------------------------------------------------
-|
   |    Reported On     | July 19, 2007                                     |
   |--------------------+--------------------------------------------------
-|
   |    Reported By     | Russell Bryant, Digium, Inc. <russell (at) digium (dot) com [email concealed]> |
   |--------------------+--------------------------------------------------
-|
   |     Posted On      | July 23, 2007                                     |
   |--------------------+--------------------------------------------------
-|
   |  Last Updated On   | July 25, 2007                                     |
   |--------------------+--------------------------------------------------
-|
   |  Advisory Contact  | Russell Bryant <russell (at) digium (dot) com [email concealed]>               |
   |--------------------+--------------------------------------------------
-|
   |      CVE Name      |                                                   |
   +-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
   | Description | The IAX2 channel driver in Asterisk is vulnerable to a   |
   |             | Denial of Service attack when configured to allow        |
   |             | unauthenticated calls. An attacker can send a flood of   |
   |             | NEW packets for valid extensions to the server to        |
   |             | initiate calls as the unauthenticated user. This will    |
   |             | cause resources on the Asterisk system to get allocated  |
   |             | that will never go away. Furthermore, the IAX2 channel   |
   |             | driver will be stuck trying to reschedule                |
   |             | retransmissions for each of these fake calls forever.    |
   |             | This can very quickly bring down a system and the only   |
   |             | way to recover is to restart Asterisk.                   |
   |             |                                                          |
   |             | Detailed Explanation:                                    |
   |             |                                                          |
   |             | Within the last few months, we made some changes to      |
   |             | chan_iax2 to combat the abuse of this module for traffic |
   |             | amplification attacks. Unfortunately, this has caused an |
   |             | unintended side effect.                                  |
   |             |                                                          |
   |             | The summary of the change to combat traffic              |
   |             | amplification is this. Once you start the PBX on the     |
   |             | Asterisk channel, it will begin receiving frames to be   |
   |             | sent back out to the network. We delayed this from       |
   |             | happening until a 3-way handshake has occurred to help   |
   |             | ensure that we are talking to the IP address the         |
   |             | messages appear to be coming from.                       |
   |             |                                                          |
   |             | When chan_iax2 accepts an unauthenticated call, it       |
   |             | immediately creates the ast_channel for the call.        |
   |             | However, since the 3-way handshake has not been          |
   |             | completed, the PBX is not started on this channel.       |
   |             |                                                          |
   |             | Later, when the maximum number of retries have been      |
   |             | exceeded on responses to this NEW, the code tries to     |
   |             | hang up the call. Now, it has 2 ways to do this,         |
   |             | depending on if there is an ast_channel related to this  |
   |             | IAX2 session or not. If there is no channel, then it can |
   |             | just destroy the iax2 private structure and move on. If  |
   |             | there is a channel, it queues a HANGUP frame, and        |
   |             | expects that to make the ast_channel get torn down,      |
   |             | which would then cause the pvt struct to get destroyed   |
   |             | afterwords.                                              |
   |             |                                                          |
   |             | However, since there was no PBX started on this channel, |
   |             | there is nothing servicing the channel to receive the    |
   |             | HANGUP frame. Therefore, the call never gets destroyed.  |
   |             | To make things worse, there is some code continuously    |
   |             | rescheduling PINGs and LAGRQs to be sent for the active  |
   |             | IAX2 call, which will always fail.                       |
   |             |                                                          |
   |             | In summary, sending a bunch of NEW frames to request     |
   |             | unauthenticated calls can make a server unusable within  |
   |             | a matter of seconds.                                     |
   +-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
   | Resolution | The default configuration that is distributed with        |
   |            | Asterisk includes a guest account that allows             |
   |            | unauthenticated calls. If this account and any other      |
   |            | account without a password is disabled for IAX2, then the |
   |            | system is not vulnerable to this problem.                 |
   |            |                                                           |
   |            | For systems that continue to allow unauthenticated IAX2   |
   |            | calls, they must be updated to one of the versions listed |
   |            | as including the fix below.                               |
   +-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
   |                           Affected Versions                            |
   |-----------------------------------------------------------------------
-|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+----------------------------
-|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+----------------------------
-|
   |    Asterisk Open Source    |    1.2.x    | 1.2.20, 1.2.21, 1.2.21.1,   |
   |                            |             | 1.2.22                      |
   |----------------------------+-------------+----------------------------
-|
   |    Asterisk Open Source    |    1.4.x    | 1.4.5, 1.4.6, 1.4.7,        |
   |                            |             | 1.4.7.1, 1.4.8              |
   |----------------------------+-------------+----------------------------
-|
   | Asterisk Business Edition  |    A.x.x    | Not affected                |
   |----------------------------+-------------+----------------------------
-|
   | Asterisk Business Edition  |    B.x.x    | Not affected                |
   |----------------------------+-------------+----------------------------
-|
   |        AsteriskNOW         | pre-release | beta6                       |
   |----------------------------+-------------+----------------------------
-|
   |     Asterisk Appliance     |    0.x.x    | 0.5.0                       |
   |       Developer Kit        |             |                             |
   |----------------------------+-------------+----------------------------
-|
   | s800i (Asterisk Appliance) |    1.0.x    | 1.0.0-beta5 up to and       |
   |                            |             | including 1.0.2             |
   +-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
   |                              Corrected In                              |
   |-----------------------------------------------------------------------
-|
   |    Product    |                        Release                         |
   |---------------+-------------------------------------------------------
-|
   | Asterisk Open |     1.2.23 and 1.4.9, available for download from      |
   |    Source     |           http://ftp.digium.com/pub/asterisk           |
   |---------------+-------------------------------------------------------
-|
   |  AsteriskNOW  |                 Beta6, available from                  |
   |               |  [LINK][LINK]http://www.asterisknow.org/[LINK][LINK].  |
   |               |  Users can update using the system update feature in   |
   |               |              the appliance control panel.              |
   |---------------+-------------------------------------------------------
-|
   |   Asterisk    |           0.6.0, available for download from           |
   |   Appliance   |             http://ftp.digium.com/pub/aadk             |
   | Developer Kit |                                                        |
   |---------------+-------------------------------------------------------
-|
   |     s800i     |                         1.0.3                          |
   |   (Asterisk   |                                                        |
   |  Appliance)   |                                                        |
   +-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
   |        Links        |                                                  |
   +-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
   | Asterisk Project Security Advisories are posted at                     |
   | [LINK][LINK]http://www.asterisk.org/security[LINK][LINK].              |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://ftp.digium.com/pub/asa/ASA-2007-018.pdf.                        |
   +-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
   |                            Revision History                            |
   |-----------------------------------------------------------------------
-|
   |       Date        |         Editor          |      Revisions Made      |
   |-------------------+-------------------------+-------------------------
-|
   | July 23, 2007     | russell (at) digium (dot) com [email concealed]      | Initial Release          |
   +-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - ASA-2007-018
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
|参考资料

来源:VUPEN
名称:ADV-2007-2701
链接:http://www.frsirt.com/english/advisories/2007/2701
来源:SECUNIA
名称:26274
链接:http://secunia.com/advisories/26274
来源:ftp.digium.com
链接:http://ftp.digium.com/pub/asa/ASA-2007-018.pdf
来源:SECTRACK
名称:1018472
链接:http://www.securitytracker.com/id?1018472
来源:BUGTRAQ
名称:20070729ASA-2007-018:ResourceexhaustionvulnerabilityinIAX2channeldriver
链接:http://www.securityfocus.com/archive/1/archive/1/475069/100/0/threaded
来源:OSVDB
名称:38197
链接:http://osvdb.org/38197
来源:BID
名称:24950
链接:http://www.securityfocus.com/bid/24950
来源:SREASON
名称:2960
链接:http://securityreason.com/securityalert/2960
来源:GENTOO
名称:GLSA-200802-11
链接:http://security.gentoo.org/glsa/glsa-200802-11.xml
来源:SECUNIA
名称:29051
链接:http://secunia.com/advisories/29051
来源:bugs.gentoo.org
链接:http://bugs.gentoo.org/show_bug.cgi?id=185713