Asterisk
  1. Asterisk
  2. ASTERISK-27013

res_rtp_asterisk: Media can be hijacked even with strict RTP enabled

    Details

      Description

      the commit https://github.com/asterisk/asterisk/commit/80b8c2349c427a94a428670f1183bdc693936813 has made asterisk vulnerable again for RTP/RTCP scanning/stealing/injection attacks (when NAT support is enabled). Version 11.0.4 was the first release to include this, all following versions have this issue (last tested against 14.4.0).

      How to reproduce:

      • set up a SIP friend with NAT support enabled
      • make a call with that SIP peer (i use a minimalistic Playback extension)
      • use rtpnatscan from a remote system (https://github.com/kapejod/rtpnatscan) to scan Asterisk's RTP port range (rtpnatscan will report received RTP packets "received X bytes from target port Y, seq Z")

      Impact:

      • denial of service (with minimal bandwidth requirements)
      • information leakage

      This is what Sandro Gauci has been talking about in his presentation at Kamailio World 2017.

        Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          Friendly Automation added a comment -

          Change 6356 merged by Joshua Colp:
          res_rtp_asterisk: Only learn a new source in learn state.

          https://gerrit.asterisk.org/6356

          Show
          Friendly Automation added a comment - Change 6356 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. https://gerrit.asterisk.org/6356
          Hide
          Friendly Automation added a comment -

          Change 6336 merged by Joshua Colp:
          res_rtp_asterisk: Only learn a new source in learn state.

          https://gerrit.asterisk.org/6336

          Show
          Friendly Automation added a comment - Change 6336 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. https://gerrit.asterisk.org/6336
          Hide
          Friendly Automation added a comment -

          Change 6340 merged by Joshua Colp:
          res_rtp_asterisk: Only learn a new source in learn state.

          https://gerrit.asterisk.org/6340

          Show
          Friendly Automation added a comment - Change 6340 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. https://gerrit.asterisk.org/6340
          Hide
          Friendly Automation added a comment -

          Change 6361 merged by Joshua Colp:
          res_rtp_asterisk: Only learn a new source in learn state.

          https://gerrit.asterisk.org/6361

          Show
          Friendly Automation added a comment - Change 6361 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. https://gerrit.asterisk.org/6361
          Hide
          Friendly Automation added a comment -

          Change 6341 merged by Joshua Colp:
          res_rtp_asterisk: Only learn a new source in learn state.

          https://gerrit.asterisk.org/6341

          Show
          Friendly Automation added a comment - Change 6341 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. https://gerrit.asterisk.org/6341

            People

            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: