Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 283624 (CVE-2009-2346)

Summary: <net-misc/asterisk-{1.2.35, 1.6.1.6} IAX2 DoS (CVE-2009-2346)
Product: Gentoo Security Reporter: Rajiv Aaron Manglani (RETIRED) <rajiv>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: voip+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.digium.com/pipermail/asterisk-announce/2009-September/000204.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-09-03 22:55:16 UTC 
The Asterisk Development Team has announced the release of Asterisk 1.2.35,
1.4.26.2, 1.6.0.15, and 1.6.1.6. These releases are available for immediate
download at http://downloads.asterisk.org/pub/telephony/asterisk/

These releases have been created in response to an IAX2 denial of service
vulnerability.

For more information about the details of this vulnerability, please read the
security advisory AST-2009-006, which was released at the same time as this
announcement.

The announcement is available at
http://downloads.asterisk.org/pub/security/AST-2009-006.pdf

Also, please see the PDF in doc/IAX2-security.pdf in your Asterisk source.

For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.2.35
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.26.2
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.15
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.6

Thank you for your continued support of Asterisk!



               Asterisk Project Security Advisory - AST-2009-006

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | IAX2 Call Number Resource Exhaustion              |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthenticated sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Major                                             |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | Yes - Published by Blake Cornell < blake AT       |
   |                    | remoteorigin DOT com > on voip0day.com            |
   |--------------------+---------------------------------------------------|
   |    Reported On     | June 22, 2008                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Noam Rathaus < noamr AT beyondsecurity DOT com >, |
   |                    | with his SSD program, also by Blake Cornell       |
   |--------------------+---------------------------------------------------|
   |     Posted On      | September 3, 2009                                 |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | September 3, 2009                                 |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Russell Bryant < russell AT digium DOT com >      |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2009-2346                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The IAX2 protocol uses a call number to associate        |
   |             | messages with the call that they belong to. However, the |
   |             | protocol defines the call number field in messages as a  |
   |             | fixed size 15 bit field. So, if all call numbers are in  |
   |             | use, no additional sessions can be handled.              |
   |             |                                                          |
   |             | A call number gets created at the start of an IAX2       |
   |             | message exchange. So, an attacker can send a large       |
   |             | number of messages and consume the call number space.    |
   |             | The attack is also possible using spoofed source IP      |
   |             | addresses as no handshake is required before a call      |
   |             | number is assigned.                                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to a version of Asterisk listed in this document  |
   |            | as containing the IAX2 protocol security enhancements. In |
   |            | addition to upgrading, administrators should consult the  |
   |            | users guide section of the IAX2 Security document         |
   |            | (IAX2-security.pdf), as well as the sample configuration  |
   |            | file for chan_iax2 that have been distributed with those  |
   |            | releases for assistance with new options that have been   |
   |            | provided.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Discussion | A lot of time was spent trying to come up with a way to   |
   |            | resolve this issue in a way that was completely backwards |
   |            | compatible. However, the final resolution ended up        |
   |            | requiring a modification to the IAX2 protocol. This       |
   |            | modification is referred to as call token validation.     |
   |            | Call token validation is used as a handshake before call  |
   |            | numbers are assigned to IAX2 connections.                 |
   |            |                                                           |
   |            | Call token validation by itself does not resolve the      |
   |            | issue. However, it does allow an IAX2 server to validate  |
   |            | that the source of the messages has not been spoofed. In  |
   |            | addition to call token validation, Asterisk now also has  |
   |            | the ability to limit the amount of call numbers assigned  |
   |            | to a given remote IP address.                             |
   |            |                                                           |
   |            | The combination of call token validation and call number  |
   |            | allocation limits is used to mitigate this denial of      |
   |            | service issue.                                            |
   |            |                                                           |
   |            | An alternative approach to securing IAX2 would be to use  |
   |            | a security layer on top of IAX2, such as DTLS [RFC4347]   |
   |            | or IPsec [RFC4301].                                       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              | Release Series |                    |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.2.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.4.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.6.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    Asterisk Business Edition     |     B.x.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    Asterisk Business Edition     |     C.x.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    s800i (Asterisk Appliance)    |     1.3.x      | All versions       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.35          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.26.2         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.0.15         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.1.6          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.10         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.4.3          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.3.1.1          |
   |---------------------------------------------+--------------------------|
   |         S800i (Asterisk Appliance)          |         1.3.0.3          |
   +------------------------------------------------------------------------+

 +-----------------------------------------------------------------------------+
 |                                   Patches                                   |
 |-----------------------------------------------------------------------------|
 |                                 Link                                 |Branch|
 |----------------------------------------------------------------------+------|
 |http://downloads.asterisk.org/pub/security/AST-2009-006-1.2.diff.txt  |1.2   |
 |----------------------------------------------------------------------+------|
 |http://downloads.asterisk.org/pub/security/AST-2009-006-1.4.diff.txt  |1.4   |
 |----------------------------------------------------------------------+------|
 |http://downloads.asterisk.org/pub/security/AST-2009-006-1.6.0.diff.txt|1.6.0 |
 |----------------------------------------------------------------------+------|
 |http://downloads.asterisk.org/pub/security/AST-2009-006-1.6.1.diff.txt|1.6.1 |
 +-----------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |     Links      | http://www.rfc-editor.org/authors/rfc5456.txt         |
   |                | https://issues.asterisk.org/view.php?id=12912         |
   |                | http://www.beyondsecurity.com/ssd.html                |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-006.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-006.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date       |        Editor        |        Revisions Made        |
   |------------------+----------------------+------------------------------|
   | 2009-09-03       | Russell Bryant       | Initial release              |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-006
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2009-09-04 13:12:20 UTC 
Arches, please test and mark stable net-misc/asterisk-1.2.35, target keywords:
"alpha amd64 ppc sparc x86"
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2009-09-04 13:14:32 UTC 
1.2 release train: In tree, awaiting stabling.
1.4 release train: Not in portage tree.
1.6.0 branch: No longer in portage tree.
1.6.1 branch: In tree now, masked so no stabling req'd. Vulnerable ebuilds killed.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-04 17:12:59 UTC 
amd64 stable.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2009-09-07 18:40:34 UTC 
Stable on alpha.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-08 09:00:06 UTC 
x86 stable
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-10 09:53:37 UTC 
CVE-2009-2346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2346):
  The IAX2 protocol implementation in Asterisk Open Source 1.2.x before
  1.2.35, 1.4.x before 1.4.26.2, 1.6.0.x before 1.6.0.15, and 1.6.1.x
  before 1.6.1.6; Business Edition B.x.x before B.2.5.10, C.2.x before
  C.2.4.3, and C.3.x before C.3.1.1; and s800i 1.3.x before 1.3.0.3
  allows remote attackers to cause a denial of service (call-number
  exhaustion) by initiating many IAX2 message exchanges, a related
  issue to CVE-2008-3263.
Comment 7 nixnut (RETIRED) gentoo-dev 2009-09-20 19:21:09 UTC 
ppc stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-10-01 17:21:05 UTC 
sparc stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 09:29:33 UTC 
All arches done, ready for vote. I vote YES.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 13:21:52 UTC 
Yes, too, request filed.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:18:16 UTC 
GLSA 201006-20