Asterisk
  1. Asterisk
  2. ASTERISK-29260

sRTP Replay Protection ignored; even tears down long calls

    Details

      Description

      The fix for ASTERISK-16867, commit 085b7b2 ignores sRTP Replay Protection…

      libSRTP has no API for this. Therefore, the fix went even further and re-creates the connection to the library. That has the side-effect that the sRTP-ROC is reset to zero. Normally, the sRTP-ROC is incremented each time the remote RTP-SEQ wraps from 0xffff to 0x0000. If you reset the sRTP-ROC, you cannot authenticate the remote RTP packets anymore at all. Consequently, a remote attacker is even able to tear down long-lastest calls (20 milliseconds × 0xffff ~ 21 minutes and 51 seconds).

      In the past, Asterisk has seen several enhancements when it comes to sRTP, like ASTERISK-20194, which handles re-INVITEs with new key material. Therefore, it is questionable whether this change is still needed nowadays. I went through my collection of sRTP implementations and found just two software platforms affected: Akuvox and VTech, both in the Call Hold/Resume scenario (see RFC 5359 section 2.1).

      In ASTERISK-16867, I mentioned a bug with VTech and SIP Session Timers. That got fixed just days after. And this can be workarounded in Asterisk by refusing timers. However, in my recent test, I found that bug in hold/resume. That was reported via Snom and acknowledged under the ID VTECHDEV-350.

      Attached are two patches – hopefully, I am allowed to see/edit/attach those – one for Asterisk 13 and one for Asterisk 17. I went for approach C, with a new configuration setting to change the state of Replay Protection at runtime in general via the configuration file rtp.conf. However, because of the severity of this issue, Replay Protection is enabled on default. Therefore, when applying those patches, a note in CHANGES is required because, on default, Asterisk is going to break compatibility with broken remote parties.

      This way, the administrator is able to roll-back until the user-agent manufacturer reacts. If you do not like that approach, because even such a configuration option would be too much risk for your users, you can simply revert the fix for ASTERISK-16867 and achieve the same effect.

      1. srtp_replay_protection-13.patch
        3 kB
        Alexander Traud
      2. srtp_replay_protection-17.patch
        3 kB
        Alexander Traud
      No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

        Hide
        Friendly Automation added a comment -

        Change 15458 merged by George Joseph:
        rtp: Enable srtp replay protection

        https://gerrit.asterisk.org/c/asterisk/+/15458

        Show
        Friendly Automation added a comment - Change 15458 merged by George Joseph: rtp: Enable srtp replay protection https://gerrit.asterisk.org/c/asterisk/+/15458
        Hide
        Friendly Automation added a comment -

        Change 15456 merged by George Joseph:
        rtp: Enable srtp replay protection

        https://gerrit.asterisk.org/c/asterisk/+/15456

        Show
        Friendly Automation added a comment - Change 15456 merged by George Joseph: rtp: Enable srtp replay protection https://gerrit.asterisk.org/c/asterisk/+/15456
        Hide
        Friendly Automation added a comment -

        Change 15468 merged by George Joseph:
        rtp: Enable srtp replay protection

        https://gerrit.asterisk.org/c/asterisk/+/15468

        Show
        Friendly Automation added a comment - Change 15468 merged by George Joseph: rtp: Enable srtp replay protection https://gerrit.asterisk.org/c/asterisk/+/15468
        Hide
        Friendly Automation added a comment -

        Change 15467 merged by George Joseph:
        rtp: Enable srtp replay protection

        https://gerrit.asterisk.org/c/asterisk/+/15467

        Show
        Friendly Automation added a comment - Change 15467 merged by George Joseph: rtp: Enable srtp replay protection https://gerrit.asterisk.org/c/asterisk/+/15467
        Hide
        Friendly Automation added a comment -

        Change 15469 merged by George Joseph:
        rtp: Enable srtp replay protection

        https://gerrit.asterisk.org/c/asterisk/+/15469

        Show
        Friendly Automation added a comment - Change 15469 merged by George Joseph: rtp: Enable srtp replay protection https://gerrit.asterisk.org/c/asterisk/+/15469

          People

          • Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: