AST-2008-010: Asterisk IAX 'POKE' resource exhaustion



Asterisk Project Security Advisory - AST-2008-010

+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | Asterisk IAX 'POKE' resource exhaustion |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+-------------------------------------------------|
| Severity | Critical |
|----------------------+-------------------------------------------------|
| Exploits Known | Yes |
|----------------------+-------------------------------------------------|
| Reported On | July 18, 2008 |
|----------------------+-------------------------------------------------|
| Reported By | Jeremy McNamara < jj AT nufone DOT net > |
|----------------------+-------------------------------------------------|
| Posted On | July 22, 2008 |
|----------------------+-------------------------------------------------|
| Last Updated On | July 22, 2008 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | CVE-2008-3263 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | By flooding an Asterisk server with IAX2 'POKE' |
| | requests, an attacker may eat up all call numbers |
| | associated with the IAX2 protocol on an Asterisk server |
| | and prevent other IAX2 calls from getting through. Due |
| | to the nature of the protocol, IAX2 POKE calls will |
| | expect an ACK packet in response to the PONG packet sent |
| | in response to the POKE. While waiting for this ACK |
| | packet, this dialog consumes an IAX2 call number, as the |
| | ACK packet must contain the same call number as was |
| | allocated and sent in the PONG. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | The implementation has been changed to no longer allocate |
| | an IAX2 call number for POKE requests. Instead, call |
| | number 1 has been reserved for all responses to POKE |
| | requests, and ACK packets referencing call number 1 will |
| | be silently dropped. |
+------------------------------------------------------------------------+

+---------------------------------------------------------------------------------------------------------------------------------+
|Commentary|This vulnerability was reported to us without exploit code, less than two days before public release, with exploit |
| |code. Additionally, we were not informed of the public release of the exploit code and only learned this fact from a |
| |third party. We reiterate that this is irresponsible security disclosure, and we recommend that in the future, |
| |adequate time be given to fix any such vulnerability. Recommended reading: |
| |http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf|
+---------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.30 |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.21.2 |
|----------------------------------+-------------+-----------------------|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x.x | All versions prior to |
| | | B.2.5.4 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | C.x.x.x | All versions prior to |
| | | C.1.10.3 |
|----------------------------------+-------------+-----------------------|
| AsteriskNOW | pre-release | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Appliance Developer Kit | 0.x.x | All versions |
|----------------------------------+-------------+-----------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.2.0.1 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.2.30 |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.4.21.2 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | B.2.5.4 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | C.1.10.3 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | C.2.0.3 |
|---------------------------------------------+--------------------------|
| s800i (Asterisk Appliance) | 1.2.0.1 |
+------------------------------------------------------------------------+

+----------------------------------------------------------------------------------------------------------------------------+
|Links|http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf|
|-----+----------------------------------------------------------------------------------------------------------------------|
| |http://www.securityfocus.com/bid/30321/info |
+----------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-010.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-010.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| July 22, 2008 | Tilghman Lesher | Initial release |
|-----------------+--------------------+---------------------------------|
| July 22, 2008 | Tilghman Lesher | Revised C.1 version numbers |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2008-010
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.



Relevant Pages