A Denial of Service vulnerability was identified on systems that have the Asterisk Manager Interface, Skinny, SIP over TCP, or the built in HTTP server enabled.
Vulnerable Systems:
* Asterisk Open Source 1.4.x All versions
* Asterisk Open Source 1.6.1.x All versions
* Asterisk Open Source 1.6.2.x All versions
* Asterisk Open Source 1.8.x All versions
* Asterisk Business Edition C.x.x All versions
On systems that have the Asterisk Manager Interface, Skinny, SIP over TCP, or the built in HTTP server enabled, it is possible for an attacker to open as many connections to asterisk as he wishes. This will cause Asterisk to run out of available file descriptors and stop processing any new calls. Additionally, disk space can be exhausted as Asterisk logs failures to open new file descriptors.
Workaround:
Asterisk can now limit the number of unauthenticated connections to each vulnerable interface and can also limit the time unauthenticated clients will remain connected for some interfaces. This will prevent vulnerable interfaces from using up all available file descriptors. Care should be taken when setting the connection limits so that the combined total of allowed unauthenticated sessions from each service is not more than the file descriptor limit for the Asterisk process. The file descriptor limit can be checked (and set) using the 'ulimit -n' command for the process' limit and the '/proc/sys/fs/file-max' file (on Linux) for the system's limit.
It will still be possible for an attacker to deny service to each of the vulnerable services individually. To mitigate this risk, vulnerable services should be run behind a firewall that can detect and prevent DoS attacks.
In addition to using a firewall to filter traffic, vulnerable systems can be protected by disabling the vulnerable services in their respective configuration files.
