Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2009-2346 to a friend New vulnerability? New tool? Tell us	CVE-2009-2346 Asterisk IAX2 Call Number Resource Exhaustion     Credit: The information has been provided by SecuriTeam Secure Disclosure and Blake Cornell. The original article can be found at: http://downloads.digium.com/pub/security/AST-2009-006.pdf Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2009-2346 Details Check for CVE-2009-2346 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Asterisk Open Source version 1.2.x  * Asterisk Open Source version 1.4.x  * Asterisk Open Source version 1.6.x  * Asterisk Business Edition version B.x.x  * Asterisk Business Edition version C.x.x  * s800i (Asterisk Appliance) version 1.3.x Immune Systems:  * Asterisk Open Source version 1.2.35  * Asterisk Open Source version 1.4.26.2  * Asterisk Open Source version 1.6.0.15  * Asterisk Open Source version 1.6.1.6  * Asterisk Business Edition version B.2.5.10  * Asterisk Business Edition version C.2.4.3  * Asterisk Business Edition version C.3.1.1  * S800i (Asterisk Appliance) version 1.3.0.3 A call number gets created at the start of an IAX2 message exchange. So, an attacker can send a large number of messages and consume the call number space. The attack is also possible using spoofed source IP addresses as no handshake is required before a call number is assigned. A lot of time was spent trying to come up with a way to resolve this issue in a way that was completely backwards compatible. However, the final resolution ended up requiring a modification to the IAX2 protocol. This modification is referred to as call token validation. Call token validation is used as a handshake before call numbers are assigned to IAX2 connections. Call token validation by itself does not resolve the issue. However, it does allow an IAX2 server to validate that the source of the messages has not been spoofed. In addition to call token validation, Asterisk now also has the ability to limit the amount of call numbers assigned to a given remote IP address. The combination of call token validation and call number allocation limits is used to mitigate this denial of service issue. An alternative approach to securing IAX2 would be to use a security layer on top of IAX2, such as DTLS [RFC4347] or IPsec [RFC4301]. CVE Information: CVE-2009-2346 Patch Availability: Upgrade to a version of Asterisk listed in this document as containing the IAX2 protocol security enhancements. In addition to upgrading, administrators should consult the users guide section of the IAX2 Security document (IAX2-security.pdf), as well as the sample configuration file for chan_iax2 that have been distributed with those releases for assistance with new options that have been provided.  Comments on CVE-2009-2346:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®