ASTERISK-29260: sRTP Replay Protection ignored; even tears down long calls

[Home]

Summary: ASTERISK-29260: sRTP Replay Protection ignored; even tears down long calls

Reporter: Alexander Traud (traud) Labels: patch security

Date Opened: 2021-01-22 04:53:56.000-0600 Date Closed: 2021-02-18 10:38:33.000-0600

Priority: Blocker Regression?

Status: Closed/Complete Components: Resources/res_srtp

Versions: 13.38.1 16.16.0 17.9.1 18.2.0 Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) srtp_replay_protection-13.patch
( 1) srtp_replay_protection-17.patch

Description: The fix for ASTERISK-16867, commit [085b7b2|https://github.com/asterisk/asterisk/commit/085b7b212a1ff3a343b16a7b803527f2afd6ac1f] ignores [sRTP Replay Protection…|http://tools.ietf.org/html/rfc3711#section-3.3.2]

libSRTP has [no API for this|https://github.com/cisco/libsrtp/issues/424]. Therefore, the fix went even further and re-creates the connection to the library. That has the side-effect that the sRTP-ROC is reset to zero. Normally, the sRTP-ROC is incremented each time the remote RTP-SEQ wraps from 0xffff to 0x0000. If you reset the sRTP-ROC, you cannot authenticate the remote RTP packets anymore at all. Consequently, a remote attacker is even able to tear down long-lastest calls (20 milliseconds × 0xffff ~ 21 minutes and 51 seconds).

In the past, Asterisk has seen several enhancements when it comes to sRTP, like ASTERISK-20194, which handles re-INVITEs with new key material. Therefore, it is questionable whether this change is still needed nowadays. I went through [my collection|https://www.traud.de/voip] of sRTP implementations and found just two software platforms affected: Akuvox and VTech, both in the Call Hold/Resume scenario (see [RFC 5359 section 2.1|https://tools.ietf.org/html/rfc5359#section-2.1]).

In ASTERISK-16867, I mentioned a bug with VTech and [SIP Session Timers|https://tools.ietf.org/html/rfc4028]. That got fixed just days after. And this can be workarounded in Asterisk by refusing timers. However, in my recent test, I found that bug in hold/resume. That was reported via Snom and acknowledged under the ID VTECHDEV-350.

Attached are two patches – hopefully, I am allowed to see/edit/attach those – one for Asterisk 13 and one for Asterisk 17. I went for approach C, with a new configuration setting to change the state of Replay Protection at runtime in general via the configuration file {{rtp.conf}}. However, because of the severity of this issue, Replay Protection is enabled on default. Therefore, when applying those patches, a note in CHANGES is required because, on default, Asterisk is going to break compatibility with broken remote parties.

This way, the administrator is able to roll-back until the user-agent manufacturer reacts. If you do not like that approach, because even such a configuration option would be too much risk for your users, you can simply revert the fix for ASTERISK-16867 and achieve the same effect.

Comments: By: Asterisk Team (asteriskteam) 2021-01-22 04:53:57.989-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/].
By: Asterisk Team (asteriskteam) 2021-01-22 04:54:01.589-0600

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue.
By: George Joseph (gjoseph) 2021-01-22 09:09:11.468-0600

Thanks Alexander! We'll get back to you shortly.

By: Friendly Automation (friendly-automation) 2021-02-18 10:38:34.115-0600

Change 15460 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15460|https://gerrit.asterisk.org/c/asterisk/+/15460]
By: Friendly Automation (friendly-automation) 2021-02-18 10:38:37.167-0600

Change 15470 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15470|https://gerrit.asterisk.org/c/asterisk/+/15470]
By: Friendly Automation (friendly-automation) 2021-02-18 10:38:40.286-0600

Change 15455 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15455|https://gerrit.asterisk.org/c/asterisk/+/15455]
By: Friendly Automation (friendly-automation) 2021-02-18 10:38:43.009-0600

Change 15457 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15457|https://gerrit.asterisk.org/c/asterisk/+/15457]
By: Friendly Automation (friendly-automation) 2021-02-18 10:38:45.118-0600

Change 15459 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15459|https://gerrit.asterisk.org/c/asterisk/+/15459]
By: Friendly Automation (friendly-automation) 2021-02-18 10:38:48.191-0600

Change 15458 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15458|https://gerrit.asterisk.org/c/asterisk/+/15458]
By: Friendly Automation (friendly-automation) 2021-02-18 10:38:53.262-0600

Change 15456 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15456|https://gerrit.asterisk.org/c/asterisk/+/15456]
By: Friendly Automation (friendly-automation) 2021-02-18 10:38:56.116-0600

Change 15468 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15468|https://gerrit.asterisk.org/c/asterisk/+/15468]
By: Friendly Automation (friendly-automation) 2021-02-18 10:38:59.559-0600

Change 15467 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15467|https://gerrit.asterisk.org/c/asterisk/+/15467]
By: Friendly Automation (friendly-automation) 2021-02-18 10:39:02.341-0600

Change 15469 merged by George Joseph:
rtp: Enable srtp replay protection

[https://gerrit.asterisk.org/c/asterisk/+/15469|https://gerrit.asterisk.org/c/asterisk/+/15469]