Summary: | ASTERISK-27013: res_rtp_asterisk: Media can be hijacked even with strict RTP enabled | ||||||
Reporter: | Joshua C. Colp (jcolp) | Labels: | |||||
Date Opened: | 2017-05-23 07:58:58 | Date Closed: | 2017-08-31 06:13:46 | ||||
Priority: | Major | Regression? | |||||
Status: | Closed/Complete | Components: | Resources/res_rtp_asterisk | ||||
Versions: | 13.15.0 14.4.0 | Frequency of Occurrence | |||||
Related Issues: |
| ||||||
Environment: | Attachments: | ||||||
Description: | the commit https://github.com/asterisk/asterisk/commit/80b8c2349c427a94a428670f1183bdc693936813 has made asterisk vulnerable again for RTP/RTCP scanning/stealing/injection attacks (when NAT support is enabled). Version 11.0.4 was the first release to include this, all following versions have this issue (last tested against 14.4.0).
How to reproduce: - set up a SIP friend with NAT support enabled - make a call with that SIP peer (i use a minimalistic Playback extension) - use rtpnatscan from a remote system (https://github.com/kapejod/rtpnatscan) to scan Asterisk's RTP port range (rtpnatscan will report received RTP packets "received X bytes from target port Y, seq Z") Impact: - denial of service (with minimal bandwidth requirements) - information leakage This is what Sandro Gauci has been talking about in his presentation at Kamailio World 2017. | ||||||
Comments: | By: Friendly Automation (friendly-automation) 2017-08-31 06:13:47.570-0500 Change 6339 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6339|https://gerrit.asterisk.org/6339] By: Friendly Automation (friendly-automation) 2017-08-31 06:14:50.637-0500 Change 6358 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6358|https://gerrit.asterisk.org/6358] By: Friendly Automation (friendly-automation) 2017-08-31 06:31:52.875-0500 Change 6337 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6337|https://gerrit.asterisk.org/6337] By: Friendly Automation (friendly-automation) 2017-08-31 06:38:06.877-0500 Change 6353 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6353|https://gerrit.asterisk.org/6353] By: Friendly Automation (friendly-automation) 2017-08-31 06:40:05.301-0500 Change 6338 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6338|https://gerrit.asterisk.org/6338] By: Friendly Automation (friendly-automation) 2017-08-31 07:20:19.665-0500 Change 6335 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6335|https://gerrit.asterisk.org/6335] By: Friendly Automation (friendly-automation) 2017-08-31 07:20:41.922-0500 Change 6356 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6356|https://gerrit.asterisk.org/6356] By: Friendly Automation (friendly-automation) 2017-08-31 07:21:02.466-0500 Change 6336 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6336|https://gerrit.asterisk.org/6336] By: Friendly Automation (friendly-automation) 2017-08-31 07:54:49.087-0500 Change 6340 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6340|https://gerrit.asterisk.org/6340] By: Friendly Automation (friendly-automation) 2017-08-31 08:00:08.259-0500 Change 6361 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6361|https://gerrit.asterisk.org/6361] By: Friendly Automation (friendly-automation) 2017-08-31 08:36:53.460-0500 Change 6341 merged by Joshua Colp: res_rtp_asterisk: Only learn a new source in learn state. [https://gerrit.asterisk.org/6341|https://gerrit.asterisk.org/6341] |