Details
Description
the commit https://github.com/asterisk/asterisk/commit/80b8c2349c427a94a428670f1183bdc693936813 has made asterisk vulnerable again for RTP/RTCP scanning/stealing/injection attacks (when NAT support is enabled). Version 11.0.4 was the first release to include this, all following versions have this issue (last tested against 14.4.0).
How to reproduce:
- set up a SIP friend with NAT support enabled
- make a call with that SIP peer (i use a minimalistic Playback extension)
- use rtpnatscan from a remote system (https://github.com/kapejod/rtpnatscan) to scan Asterisk's RTP port range (rtpnatscan will report received RTP packets "received X bytes from target port Y, seq Z")
Impact:
- denial of service (with minimal bandwidth requirements)
- information leakage
This is what Sandro Gauci has been talking about in his presentation at Kamailio World 2017.
Issue Links
- is related to
-
ASTERISK-27252
RTP: One way audio with direct media and strictrtp=yes.
-
- Closed
-
-
ASTERISK-27274
RTCP needs better packet validation to resist port scans.
-
- Closed
-
-
SWP-9778 Loading...
Change 6339 merged by Joshua Colp:
res_rtp_asterisk: Only learn a new source in learn state.
https://gerrit.asterisk.org/6339