AST-2009-006: IAX2 Call Number Resource Exhaustion

           Asterisk Project Security Advisory - AST-2009-006

±-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------±--------------------------------------------------|
| Summary | IAX2 Call Number Resource Exhaustion |
|--------------------±--------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------±--------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|--------------------±--------------------------------------------------|
| Severity | Major |
|--------------------±--------------------------------------------------|
| Exploits Known | Yes - Published by Blake Cornell < blake AT |
| | remoteorigin DOT com > on voip0day.com |
|--------------------±--------------------------------------------------|
| Reported On | June 22, 2008 |
|--------------------±--------------------------------------------------|
| Reported By | Noam Rathaus < noamr AT beyondsecurity DOT com >, |
| | with his SSD program, also by Blake Cornell |
|--------------------±--------------------------------------------------|
| Posted On | September 3, 2009 |
|--------------------±--------------------------------------------------|
| Last Updated On | September 3, 2009 |
|--------------------±--------------------------------------------------|
| Advisory Contact | Russell Bryant < russell AT digium DOT com > |
|--------------------±--------------------------------------------------|
| CVE Name | CVE-2009-2346 |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | The IAX2 protocol uses a call number to associate |
| | messages with the call that they belong to. However, the |
| | protocol defines the call number field in messages as a |
| | fixed size 15 bit field. So, if all call numbers are in |
| | use, no additional sessions can be handled. |
| | |
| | A call number gets created at the start of an IAX2 |
| | message exchange. So, an attacker can send a large |
| | number of messages and consume the call number space. |
| | The attack is also possible using spoofed source IP |
| | addresses as no handshake is required before a call |
| | number is assigned. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | Upgrade to a version of Asterisk listed in this document |
| | as containing the IAX2 protocol security enhancements. In |
| | addition to upgrading, administrators should consult the |
| | users guide section of the IAX2 Security document |
| | (IAX2-security.pdf), as well as the sample configuration |
| | file for chan_iax2 that have been distributed with those |
| | releases for assistance with new options that have been |
| | provided. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Discussion | A lot of time was spent trying to come up with a way to |
| | resolve this issue in a way that was completely backwards |
| | compatible. However, the final resolution ended up |
| | requiring a modification to the IAX2 protocol. This |
| | modification is referred to as call token validation. |
| | Call token validation is used as a handshake before call |
| | numbers are assigned to IAX2 connections. |
| | |
| | Call token validation by itself does not resolve the |
| | issue. However, it does allow an IAX2 server to validate |
| | that the source of the messages has not been spoofed. In |
| | addition to call token validation, Asterisk now also has |
| | the ability to limit the amount of call numbers assigned |
| | to a given remote IP address. |
| | |
| | The combination of call token validation and call number |
| | allocation limits is used to mitigate this denial of |
| | service issue. |
| | |
| | An alternative approach to securing IAX2 would be to use |
| | a security layer on top of IAX2, such as DTLS [RFC4347] |
| | or IPsec [RFC4301]. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±----------------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | http://www.rfc-editor.org/authors/rfc5456.txt |
| | https://issues.asterisk.org/view.php?id=12912 |
| | http://www.beyondsecurity.com/ssd.html |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-006.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-006.html |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - AST-2009-006
          Copyright (c) 2009 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.