Details
-
Type:
Bug
-
Status: Closed
-
Severity:
Major
-
Resolution: Fixed
-
Affects Version/s: 11.2.1
-
Component/s: Channels/chan_sip/General
-
Labels:None
Description
So.. I was trying if I could alter the SIP security framework messages to differentiate between auth failures for any UDP packet and those with a valid nonce. Those with a valid nonce would probably not have a spoofed IP, so I can use fail2ban on them with more peace of mind.
But, then I saw the different handling of the alwaysauthreject-challenge and the "normal" challenge code. These differences can be observed by an attacker sniffing for valid usernames.
VICTIM$ sudo asterisk -nrx 'sip show peers' | head -n4 Name/username... 100... 101... 102... VICTIM$ sudo asterisk -nrx 'core show version' Asterisk SVN-branch-11-r380384M
ATTACKER$ sipp -m 1 -sf register-username-disclosure.xml VICTIM -s 000 -ap badpass >/dev/null 000 is NOT a valid username ATTACKER$ sipp -m 1 -sf register-username-disclosure.xml VICTIM -s 001 -ap badpass >/dev/null 001 is NOT a valid username ATTACKER$ sipp -m 1 -sf register-username-disclosure.xml VICTIM -s 100 -ap badpass >/dev/null 100 is a valid username ATTACKER$ sipp -m 1 -sf register-username-disclosure.xml VICTIM -s 101 -ap badpass >/dev/null 101 is a valid username
I haven't done any work on fixing the issue. But it's likely that the right fix would be to follow the normal challenge code path as much as possible.
Regards,
Walter Doekes
OSSO B.V.
(my employer wouldn't mind if OSSO B.V. is mentioned in a security bulletin if that were to be produced)
Issue Links
- must be completed before resolving
-
ASTERISK-21004
Open Blockers for 1.8.21.0
-
- Closed
-
-
ASTERISK-21005
Open Blockers for 11.3.0
-
- Closed
-
Would you mind attaching the sip.conf you used with this SIPp scenario? I know it's likely to be trivial, but I want to ensure I have exactly the same setup for testing.