An Asterisk Project Security Advisory has been release relating to the ability of a flood of POKE messages to cause Asterisk to run out of call numbers:
Product
|
Asterisk
|
Summary
|
Asterisk IAX 'POKE' resource exhaustion
|
Nature of Advisory
|
Denial of service
|
Susceptibility
|
Remote Unauthenticated Sessions
|
Severity
|
Critical
|
Exploits Known
|
Yes
|
Reported On
|
July 18, 2008
|
Reported By
|
Jeremy McNamara < jj AT nufone DOT net >
|
Posted On
|
July 22, 2008
|
Last Updated On
|
July 28, 2008
|
Advisory Contact
|
Tilghman Lesher < tlesher AT digium DOT com
>
|
CVE Name
|
CVE-2008-3263
|
Description
|
By flooding an Asterisk server
with IAX2 'POKE' requests, an attacker may eat up all call numbers
associated with the IAX2 protocol on an Asterisk server and
prevent other IAX2 calls from getting through. Due to the nature
of the protocol, IAX2 POKE calls will expect an ACK packet in
response to the PONG packet sent in response to the POKE. While
waiting for this ACK packet, this dialog consumes an IAX2 call
number, as the ACK packet must contain the same call number as was
allocated and sent in the PONG.
|
Resolution
|
The implementation has been
changed to no longer allocate an IAX2 call number for POKE
requests. Instead, call number 1 has been reserved for all
responses to POKE requests, and ACK packets referencing call
number 1 will be silently dropped.
|
Commentary
|
This vulnerability was reported to
us without exploit code, less than two days before public release,
with exploit code. Additionally, we were not informed of the
public release of the exploit code and only learned this fact from
a third party. We reiterate that this is irresponsible security
disclosure, and we recommend that in the future, adequate time be
given to fix any such vulnerability. Recommended reading:
http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf
Update:
Since we've heard from a few people who seem to be faulting
Jeremy McNamara for irresponsible disclosure, let me just say that
Jeremy is the innocent third party in the above paragraph. He
sought to tell us prior to the public disclosure even though the
researcher responsible apparently did not. That researcher
contacted us well after this advisory was published, which was the
first we'd heard from
him. I won't disclose his name here. I think he's learned a
valuable lesson both about responsible disclosure, as well as
putting one of his friends in the middle of this firestorm. His
name isn't that difficult to find, but to avoid the inevitable
flames that might erupt, I'll leave it off here. Suffice it to
say, Jeremy does not deserve the derision of either the Asterisk
or the security communities. If you misunderstood the original
advisory and blamed Jeremy, I hope you will take some time to make
amends.
|
Affected Versions
|
Product
|
Release Series
|
|
Asterisk Open Source
|
1.0.x
|
All versions
|
Asterisk Open Source
|
1.2.x
|
All versions prior to 1.2.30
|
Asterisk Open Source
|
1.4.x
|
All versions prior to 1.4.21.2
|
Asterisk Addons
|
1.2.x
|
Not affected
|
Asterisk Addons
|
1.4.x
|
Not affected
|
Asterisk Business Edition
|
A.x.x
|
All versions
|
Asterisk Business Edition
|
B.x.x.x
|
All versions prior to B.2.5.4
|
Asterisk Business Edition
|
C.x.x.x
|
All versions prior to C.1.10.3
|
AsteriskNOW
|
pre-release
|
All versions
|
Asterisk Appliance Developer Kit
|
0.x.x
|
All versions
|
s800i (Asterisk Appliance)
|
1.0.x
|
All versions prior to 1.2.0.1
|
Corrected In
|
Product
|
Release
|
Asterisk Open Source
|
1.2.30.1
|
Asterisk Open Source
|
1.4.21.2
|
Asterisk Business Edition
|
B.2.5.4
|
Asterisk Business Edition
|
C.1.10.3
|
Asterisk Business Edition
|
C.2.0.3
|
s800i (Asterisk Appliance)
|
1.2.0.1
|
Links
|
http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf
|
|
http://www.securityfocus.com/bid/30321/info
|
Asterisk Project Security Advisories are posted
at http://www.asterisk.org/security
This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/AST-2008-010.pdf
and http://downloads.digium.com/pub/security/AST-2008-010.html
|
Revision History
|
Date
|
Editor
|
Revisions Made
|
July 22, 2008
|
Tilghman Lesher
|
Initial release
|
July 22, 2008
|
Tilghman Lesher
|
Revised C.1 version numbers
|
July 24, 2008
|
Tilghman Lesher
|
Released 1.2.30.1 to account for an error in
patching
|
July 28, 2008
|
Tilghman Lesher
|
Updated commentary to make it clear that Jeremy
was not at fault.
|
Asterisk
Project Security Advisory - AST-2008-010
Copyright
© 2008
Digium, Inc. All Rights Reserved.
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.
Current Rating: 0/10 (0 votes) Similar Articles (Based on Title) AST-2008-010: Asterisk IAX POKE resource exhaustion - August 12, 2008
An Asterisk Project Security Advisory has been release relating to the ability of a flood of POKE messages to cause Asterisk to run out of call numbers.
AST-2007-020: Resource Exhaustion vulnerability in SIP channel driver - August 22, 2007
Here are the details of the problem discovered which required the update.
Asterisk-Users: Request for IAX debug session transcript with IAXy - October 11, 2004
Held needed getting IAXy debug's for phone manufacturer's implementation of IAX
Asterisk-Users: New iaxcomm IAX phone release - October 26, 2004
Michael Van Donselaar posted details of the latest build of iaxcomm.
Asterisk-Users: IAX support added to VoxBox's AMP - October 28, 2004
Ryan Courtnage has posted details of the changes to the Asterisk Management Portal. IAX, SIP and Flash Operator Panel have been added.
VoxBox's AMP updated to accomodate IAX clients - November 16, 2004
VoxBox has updated the Asterisk Management Portal to work with IAX clients and Flash Operator Panel 0.17.
Asterisk-Users: Secure IAX Communications - November 20, 2004
If you would like Asterisk to be able to have an encrypted IAX stream and ADSI commands travelling via IAX then you need to email this guy. He will not start work unless he believes people want it
Asterisk irc forum: Short update on the farfon IAX phone - December 12, 2004
Wasim has given a little more info on the shipment of the farfon IAX phones.
Original Content (C) 2004-2010
Matt Riddell
Icons by: FastIcon.com
|
Back to life
July 21, 2010 Average Vote: 10
Hey all - I am back online after some pretty big projects which have taken all my time. Will be updating the Asterisk news over the next few days.
Nerd Vittles: Building a Bluetooth Proximity Detection System with Asterisk
December 12, 2005 Average Vote: 10
The Nerd Vittles site has an article on proximity detection using Asterisk and a TomTom GPS
Automated Testing Update
July 30, 2010 Average Vote: 10
Russell Bryant has posted details of a new mailing list for automated testing of Asterisk and some information on the progress that has been made. There is no way to say how important I think this work is. It really makes a huge difference to Asterisk and the ability to use it in an enterprise environment. Really great work.
VoIP-Info: FFasterisk Video file converter
August 25, 2006 Average Vote: 10
The wiki has a link to a new piece of software for converting video to the format required for Asterisk.
Code Review: SRTP support for Asterisk
March 12, 2009 Average Vote: 10
Terry Wilson has moved his SRTP branch onto the Digium review board.
HumBug - Pre BETA Launch Registration
July 27, 2010 Average Vote: 10
Nir Simionovich has posted details of the beta of the new call analytics service.
Interview with BKW_
December 7, 2004 Average Vote: 10
We've finally completed our interview with BKW. Hope you like! :-)
SlashDot: GSM and Asterisk Integration
August 21, 2005 Average Vote: 10
There is a post up on SlashDot which talks about using cellphones with Asterisk.
Interview with Mark Spencer
November 26, 2004 Average Vote: 9.9
We have managed to get an interview with Mark Spencer AKA Markster. Mark Spencer is the creator of Asterisk and by far the most active developer.
Asterisk and Kamailio realtime integration tutorial
May 24, 2010 Average Vote: 9.9
Daniel-Constantin Mierla has posted a link to a tutorial on integrating Asterisk and Kamailio using realtime.
Asterisk IPv6 update
February 1, 2010 Average Vote: 9.8
Olle has posted an update on IPV6 in Asterisk and a link to a blog post of his.
Proposal for T.38 transparent gateway design in Asterisk
April 29, 2010 Average Vote: 9.8
Kevin Fleming has posted a proposed design for a transparent T.38 gateway for Asterisk:
Asterisk Monitoring with iPhone and iPod touch
February 12, 2010 Average Vote: 9.7
For the past couple of weeks I have been working on an app that allows you to monitor and restart Asterisk servers.
Monitoring Asterisk with Munin
January 7, 2010 Average Vote: 9.7
I had a few requests for these munin plugins after some discussion on one of the Asterisk lists and thought people might like them.
New Zealand Asterisk Voices
March 2, 2006 Average Vote: 9.7
Chris Hodgetts has posted details of recordings of Asterisk Sounds with a New Zealand accent.
Automated Testing Update
July 30, 2010
Russell Bryant has posted details of a new mailing list for automated testing of Asterisk and some information on the progress that has been made. There is no way to say how important I think this work is. It really makes a huge difference to Asterisk and the ability to use it in an enterprise environment. Really great work.
Asterisk 1.8.0-beta2 Now Available
July 28, 2010
The Asterisk Development Team has announced the release of Asterisk 1.8.0-beta2.
HumBug - Pre BETA Launch Registration
July 27, 2010
Nir Simionovich has posted details of the beta of the new call analytics service.
Branch Merging Changes
July 26, 2010
Russell Bryant has posted details of some changes to the way developers need to commit code to Asterisk because of the newly released 1.8 branch.
Asterisk 1.8.0-beta1 is Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.8.0-beta1. This release marks the beginning of the testing process for the eventual release of Asterisk 1.8.0.
Asterisk 1.6.2.10 Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.6.2.10.
Asterisk 1.4.34 Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.4.34.
AppleRaisin - AstDB over realtime
July 23, 2010
Olle has posted a note about his awesome AppleRaisin branch which provides the ability to store AstDB in realtime. This would make for a much simpler failover and clustering situation.
QueueMetrics 1.6.1 released
July 22, 2010
Lenz has posted a note to inform us that QueueMetrics version 1.6.1 has been released. This release offers a large number of bug fixes, misc improvements and new developements including hotdesking.
Asterisk 1.8 Branch Creation
July 22, 2010
Russell Bryant has posted a note to inform us of the creation of the 1.8 branch of Asterisk. |
