Topic: Asterisk 1.2.9.1- new security fix

[WillKemp]

5th June 06:

The Asterisk Development Team today released Asterisk 1.2.9.1 and Asterisk 1.0.11.1 to address a security vulnerability in the IAX2 channel driver (chan_iax2).

http://asterisk.org/

[SARK devs]

Thanks Will,

This is good to know.  In vanilla SAIL, we don't allow any public IAX access to the system, however a user could create a guest account in headers and this would expose the issue.  

We'll move to 1.2.9 for regular asterisk shortly. Unfortunately, we can't move the bri/Cologne version because it depends upon the Junghanns code so we'll have to wait for them.  In any event you should be fine as long as you don't allow IAX guests.

Thanks again

jeff@selintra.com

[WillKemp]

In any event you should be fine as long as you don't allow IAX guests.

That's not my interpretation of what's written on asterisk.org:

"All users are urged to upgrade as soon as they can practically do so, or ensure that they don't expose IAX2 services to the public if it is not necessary." (my italics).

There doesn't appear to be a  more in-depth explanation anywhere, but my understanding of "expose to the public" means have port 4569 (or whatever one you've got your iax service listening on) open to the entire internet. It doesn't appear to me to have anything to do with guest users.

However, i may be misunderstanding what they're trying to say.

[JonB]

My understanding is that the truncated frame exploit has to come from a compromised host machine that has an IAXclient based softphone (which is basically all the IAX2 softphones) installed and is registered with your Asterisk server. This compromised host machine could be inside or outside your network.

I note that the IAXclient libraries have been updated to fix the exploit.

Asterisk has been patched to not accept the truncated frames.


Read http://www.voipphreak.ca/ to find out all about it.

Jon

[WillKemp]

Read http://www.voipphreak.ca/ to find out all about it.

From that site:

Workaround:

Block inbound packets to port 4569/udp at the perimeter.This workaround
will prevent inter operation of IAX-based VoIP solutions with VoIP
services outside the boundaries of the filtered network. Also, the the
PBX will remain vulnerable to internal attacks from host within the
protected network.

Obviously, what i suggested some time ago - i.e., configuring the firewall to restrict external (internet) access to IAX and SIP ports to ITSPs only (rather than the whole world) - would go a long way towards securing a vulnerable system. This would probably still allow an attack - particularly if notransfer=yes isn't set for that ITSP in iax.conf - but it would drastically limit the chances of it happening.

[JonB]

Sorry but I disagree. That maybe what you want but it isn't what I want. The instructions are available on how to modify the firewall to allow only certain IP's access to the SIP and IAX2 ports and deny all others.

I have (or should I say had) 16 DIAX IAX2 client softphones connected to my * server. I disabled access to all these phones when I read the security report and they will be replaced with softphones that have the security patched IAXclient libraries.

There are actually 2 security issues.

The first is the Truncated Frame vulnerability in the IAXclient libraries i.e IAX softphones and the other is the Truncated Video Frame vulnerability in Asterisk.

The work around suggested is a drastic measure and is aimed at those large * servers that have multiple IAX2 softphones connected to them. In the case of smaller or home * servers it is enough to disable access to IAX softphones until
1 - The client IAX softphones are replaced with new patched softphones or
2 - * server is upgraded to the new versions with the security patches.

The vulnerability cannot be exploited unless an IAX2 session has been established. An IAX2 session cannot be established unless there is an IAX2 client that is registered with your server and has established that session by making a call. The host machine with the IAX2 client on it needs to have been compromised and it needs to have an unpatched IAXclient based softphone.

It is not a brute force exploit. It is not like a trojan/virus out there in the wild hammering away at port 4569 trying to find an unpatched * server to exploit. It needs several things before the server can be exploited

1 - A compromised host PC
2 - A IAX2 softphone that uses unpatched IAXclient libs
3 - The IAX2 softphone needs to be on and registered to the * server and able to establish a session.
4 - An unpatched * server.

Take any one of these away and the exploit wont happen. In my case I have removed 3 - the ability for my softphone to register with my server. In the case of large * servers where they may have thousands of IAX softphones registering it would be easier to block port 4569 until they patch the servers.

If you do not have any IAX2 clients connecting to your server then you have no problems.

Jon

[WillKemp]

Yeah, ok. I can see that now. Thanks for your explanation.