ASTERISK-28465: Broken SDP can cause a segfault in a T.38 reINVITE

[Home]

Summary: ASTERISK-28465: Broken SDP can cause a segfault in a T.38 reINVITE

Reporter: Francesco Castellano (fcastellano) Labels: security

Date Opened: 2019-06-28 10:46:50 Date Closed: 2019-07-11 14:03:21

Priority: Blocker Regression? No

Status: Closed/Complete Components: Channels/chan_sip/Interoperability

Versions: 13.27.0 Frequency of
Occurrence

Related
Issues:

Environment: asterisk-13.23.0 on Debian/Jessie, with T.38, and sip_preferred_codec_only reINVITE enabled Attachments: ( 0) crash-t38-broken-answer-with-empty-jointcaps.xml

Description: Our gateways (asterisk-13 based) experienced occasional segfaults last days, and inspecting with GDB their coredumps, we finally concluded they are caused by a very specific case in process_sdp() of chan_sip.c:

1) Asterisk has been configured with {{preferred_codec_only}} for the relevant peer, and e list, possibly restrictive, of codecs
2) the SIP peer starts a valid session through Asterisk (chan_sip) as a B2BUA
3) Asterisk issue a T.38 reINVITE (for example with ReceiveFAX application, even if it was not our case)
4) the SIP UA (UAS in this case) responds with a "broken" SDP with two m-lines, one for an audio codec _not_ included in the SIP peer allowed list, and another with image/t38

Such an SDP is broken because a SIP UA is not allowed to responds with multiple m-lines whenever it received just one m-line.

We reproduced it on a lab with SIPp and the last version *13* released (13.27.0), but I see no change on that part of code also on *master*.

The reason I choose to tag it as a security issue, is that:
* with specific configurations
* a malevolent, authenticated (it can setup a call through the Asterisk server) user
* can tear down the service

But I'm not sure it is so serious: I'm inviting you to properly change it.

Comments: By: Asterisk Team (asteriskteam) 2019-06-28 10:46:50.834-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.
By: Asterisk Team (asteriskteam) 2019-06-28 10:46:51.888-0500

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.
By: Francesco Castellano (fcastellano) 2019-06-28 11:02:35.130-0500

This is the SIPp scenario I used to crash our unpatched server, that is ineffective against the patched one.

It is somehow specific to our setup (via a SIP proxy), and I run it with something like:

{noformat}
sipp PROXY_DOMAIN -sf /scenarios/crash-t38-broken-answer-with-empty-jointcaps.xml -t u1 -r 1 -l 1 -m 1 -s SERVICE -ap AUTH_SECRET -base_cseq 42 -key caller CALLER -key domain DOMAIN -aa -au AUTH_USER
{noformat}

Moreover, you must have the matching SIP peer on the Asterisk server with:
* {{preferred_codec_only=yes}}
* Allowed codecs: {{g729,ulaw}}
* T.38 enabled
* a triggered dialplan that accept the call and pass it to {{ReceiveFAX()}} dialplan application
By: Joshua C. Colp (jcolp) 2019-06-28 11:40:41.055-0500

Unfortunately the changes you've posted on Gerrit were publicly accessible and generated email, so this has been disclosed a bit. I've gone ahead and marked them as private for now. In the future attaching patches for security issues is preferred instead of posting on Gerrit as Gerrit makes it easy to make things public and difficult to make them private.

We'll review this as soon as we can.
By: Francesco Castellano (fcastellano) 2019-07-01 04:00:31.990-0500

Joshua, thank you for your warning: I was unsure if it qualify as a security issue, but definitively I did not think about avoiding pushing code on Gerrit. Maybe, it would be useful to add such a warning [on the wiki page about Asterisk Security Vulnerabilities|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Vulnerabilities].

Thank you.
By: Joshua C. Colp (jcolp) 2019-07-01 06:18:42.363-0500

I've added another warning note.
By: Friendly Automation (friendly-automation) 2019-07-11 14:03:22.977-0500

Change 11551 merged by Benjamin Keith Ford:
chan_sip: Handle invalid SDP answer to T.38 re-invite

[https://gerrit.asterisk.org/c/asterisk/+/11551|https://gerrit.asterisk.org/c/asterisk/+/11551]
By: Friendly Automation (friendly-automation) 2019-07-11 14:14:44.298-0500

Change 11554 merged by Benjamin Keith Ford:
chan_sip: Handle invalid SDP answer to T.38 re-invite

[https://gerrit.asterisk.org/c/asterisk/+/11554|https://gerrit.asterisk.org/c/asterisk/+/11554]
By: Friendly Automation (friendly-automation) 2019-07-11 14:14:54.711-0500

Change 11553 merged by Benjamin Keith Ford:
chan_sip: Handle invalid SDP answer to T.38 re-invite

[https://gerrit.asterisk.org/c/asterisk/+/11553|https://gerrit.asterisk.org/c/asterisk/+/11553]
By: Friendly Automation (friendly-automation) 2019-07-11 14:15:03.575-0500

Change 11552 merged by Benjamin Keith Ford:
chan_sip: Handle invalid SDP answer to T.38 re-invite

[https://gerrit.asterisk.org/c/asterisk/+/11552|https://gerrit.asterisk.org/c/asterisk/+/11552]
By: Friendly Automation (friendly-automation) 2019-07-12 09:25:30.528-0500

Change 11559 merged by Kevin Harwell:
chan_sip: Handle invalid SDP answer to T.38 re-invite

[https://gerrit.asterisk.org/c/asterisk/+/11559|https://gerrit.asterisk.org/c/asterisk/+/11559]