|
ISS Uncovers The Risk In Asterisk |
|
|
|
Written by Adam Gosling
|
|
Tuesday, 18 July 2006 |
Internet Security Systems (ISS) has issued a security alert
for the open source PBX software, Asterisk. The vulnerabilities exist in earlier
versions of the Asterisk PBX software and in improperly configured newer
version.
The first, a denial of service (DoS) vulnerability in IAX2 version
1.2.9 (Inter-Asterisk eXchange protocol version 2) can be triggered by flooding
the PBX with call requests causing it to be unable to handle new calls.
The second bug in the newer version allows an attacker to
leverage accounts without passwords to flood a third party with UDP packers.
ISS says that if this attack is properly executed the victim's
connection can be completely clogged.
ISS says the DoS attack can be levelled at Asterisk PBX
1.2.9 and earlier, but warns that later versions may also be susceptible.
The volume of call requests required to achieve DoS can be
easily generated by a single host and may be spoofed from a different IP
address, says the security company.
In order for this attack to work, the attacker must know a
valid username on the PBX. However, the password for that username is not
required.
ISS says the 'maxauthreq' configuration option implemented
in version 1.2.10 of the software limits the number of simultaneous
unauthenticated calls that can be placed by a single user, mitigating the
threat.
In the reverse flood threat ,an attacker can send a single
packet spoofed from the source address of a victim, to an Asterisk PBX, and
cause a large amount of traffic to be generated from the PBX to the victim.
Victims may find their Internet connectivity completely saturated. As the
attack is spoofed, it can be very difficult for them to determine its source.
In order for this attack to work, the attacker must know a
valid username on the PBX which does not require authentication. The default
configuration files that ship with Asterisk PBX include default users without
passwords. Usernames are also easy to guess by brute force.
Anyone could be a victim of such a traffic flood regardless
of whether or not they are running Asterisk PBX, as long as there are
vulnerable PBXs configured with default user accounts that do not require a
password.
ISS says the fix is simply to ensure that their PBX has no
accounts that are configured without passwords and no accounts configured to
use plaintext authentication.
"Users of Voice over Internet Protocol (VoIP) systems
must be mindful not only of denial-of-service vulnerabilities in their VoIP PBX
implementations, such as the vulnerability discovered in Asterisk, but
underlying VoIP protocol weaknesses that may leave organizations open to
vishing, a new security threat which uses VoIP to steal user information, and
spam over the VoIP network," said Chris Rouland, chief technology officer
of Internet Security Systems.
"By leveraging pre-emptive protection from Internet Security
Systems, organizations can avoid the potential loss of productivity and the
business ramifications caused by these VoIP flaws as well as the underlying
operating systems vulnerabilities that VoIP platforms run on."
Asterisk is an open source, freely available application
that allows organisations to access all of the features of a typical telephony PBX,
including voicemail services, call conferencing, interactive voice response, call
queuing, three-way calling and caller ID services.
Asterisk users are urged to upgrade as soon as they can
practically do so, or ensure that they do not expose IAX2 services to the
public if it is not necessary. Asterisk users are strongly advised to ensure
that no accounts are configured without passwords.
The ISS X-Force advisory on this vulnerability can be found
at: http://xforce.iss.net/xforce/alerts/id/228
and http://xforce.iss.net/xforce/alerts/id/229.
www.asterisk.org/
Related news items Newer news items
Older news items
|
|
|
|
