ALERT RTP stream security risk

Discussion in 'Bug Reporting and Fixes' started by atsak, Sep 1, 2017.

  1. atsak

    atsak Guru

    Joined:
    Sep 7, 2009
    Messages:
    1,692
    Likes Received:
    146
  2. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
  3. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    We're seriously considering adding the RTP ports to the IPtables WhiteList methodology, i.e. only authorized IP addresses could access the RTP ports. This would eliminate the vulnerability regardless of your version of Asterisk.

    Comments??
     
  4. billsimon

    billsimon Experienced in Asterisk, FreePBX, and SIP

    Joined:
    Jan 2, 2011
    Messages:
    848
    Likes Received:
    253
    I don't see why this bug even exists, and why Asterisk devs had to do this RTP hacking in the first place. What am I missing? If the SDP in the INVITE or subsequent re-INVITE contains routable IP addresses, then use them for media. If the SDP contains non-routable IP addresses, then the client is behind a NAT and not using any NAT traversal techniques like SIP ALG, ICE/STUN, so send to the originating IP. Why are we making allowances here for media to come from anywhere?

    I think you can probably clamp down your firewall as much as you want, because symmetric RTP should allow media to get through by way of establishing an outbound stream (inbound stream comes back on the same path).
     
  5. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    352
    Likes Received:
    120
    I would tend to agree. I have to dig into this further, but have trouble seeing how this would impact my setups.

    RTP ports are blocked by default in my rules. Packets from a random address never make it past iptables.

    I have RTP ports allowed in my "endpoint" and "trunk" whitelist rule sets, but mostly just to cut down on the few dropped packets that are logged during call setup. I originally had an "rtp.media" ruleset, but found it unnecessary.

    Direct media providers like Anveo Direct (majority of our calls) would be impossible to white list. A few packets are dropped at the beginning of call setup, but symmetric RTP ultimately opens up the path and the user is unaware.

    If the IPBX rules open up RTP to everyone, that probably is not needed (at least in most situations - never say never).
     
    #5 jerrm, Sep 5, 2017
    Last edited: Sep 5, 2017
  6. atsak

    atsak Guru

    Joined:
    Sep 7, 2009
    Messages:
    1,692
    Likes Received:
    146
    It's rare but sometimes I've seen media proxies change IP mid stream. I don't even know how it was done because I can't figure out how it is possible (but I'm not really versed in that low level protocol behaviour), but the IP address of the RTP packets changed during a call (no packets lost either, which I figured at least there would be something, but there was a SIP reinvite message IIRC). Certainly media doesn't always come from the same IP as the SIP SBC of course, but
     
  7. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    @billsimon and @jerrm: By gosh, you're right. I closed UDP 10000-20000 in IPtables and everything still works for incoming and outgoing calls. And now the bad guys don't have a port to play with. I suppose this patch was for folks that either don't have a firewall or that pass UDP 10000-20000 thru their NAT-based router to the Asterisk server. Just another case of "we've always done it that way." :idea:
     
  8. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    Here's the patch procedure... (1) install it and then (2) don't forget to: iptables-restart

    REPORT ANY PROBLEMS AND WE CAN DEAL WITH THE OUTLYING ISSUES!


    For Incredible PBX for Issabel:
    Code:
    sed -i 's|/usr/sbin/iptables -A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#/usr/sbin/iptables -A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /usr/local/sbin/iptables-custom
    
    For Incredible PBX for Wazo and Incredible PBX 13 for Ubuntu 14:
    Code:
    sed -i 's|-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /etc/iptables/rules.v4
    sed -i 's|-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /etc/iptables/rules.v4.ubuntu14
    
    For Incredible PBX 13 for CentOS:
    Code:
    sed -i 's|-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /etc/sysconfig/iptables
    sed -i 's|-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /etc/sysconfig/rules.v4.ubuntu14
    
    For Incredible PBX for Raspbian:
    Code:
    sed -i 's|-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT|' /etc/iptables/rules.v4
    sed -i 's|-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT|' /etc/iptables/rules.v4.ubuntu14
    
     
    #8 wardmundy, Sep 5, 2017
    Last edited: Sep 11, 2017
  9. Sylvain Boily

    Sylvain Boily Active Member

    Joined:
    Apr 30, 2016
    Messages:
    258
    Likes Received:
    143
    Asterisk 14.6.1 with security fix will be in the next wazo version. Release 17.13 is for the 18/09/2017.
     
    wardmundy likes this.
  10. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    The problem is that the "security fix" itself has a problem:
    As documented above, the only reliable fix is to remove UDP 10000-20000 access in your firewall.
     
  11. KUMARULLAL

    KUMARULLAL Guru

    Joined:
    Feb 20, 2008
    Messages:
    195
    Likes Received:
    16
    @wardmundy
    I tried doing that on iptables on centos running travelinman. I get oneway audio. Others can hear me, I cannot hear outsiders.I have selected NAT=no and gsm and ulaw codes. the server is on cloud with public IP.
    What Am I doing wrong.
     
    #11 KUMARULLAL, Sep 8, 2017
    Last edited by a moderator: Sep 9, 2017
  12. dhoppy

    dhoppy Member

    Joined:
    Mar 9, 2009
    Messages:
    30
    Likes Received:
    2
    Also having a problem on a centos system. Audio is fine on inbound calls, no audio on outbound calls. Also, no audio on calls between extensions.

    The iptables fix on the ubuntu systems I have work fine.
     
  13. billsimon

    billsimon Experienced in Asterisk, FreePBX, and SIP

    Joined:
    Jan 2, 2011
    Messages:
    848
    Likes Received:
    253
    It could be a problem if both endpoints are outside the firewall and Asterisk is inside. Then who pokes the holes through the firewall for media? Both endpoints are blocked until Asterisk generates or relays some media. If Asterisk generates early media like ringback tones then problem solved. Otherwise, I don't know. @dhoppy , @KUMARULLAL , perhaps do some tcpdump or wireshark on your servers and see what's going on.
     
    wardmundy likes this.
  14. anthony rubio

    anthony rubio New Member

    Joined:
    Mar 31, 2016
    Messages:
    7
    Likes Received:
    0
    should i worry of this on the 3cx system?
     
  15. pbxinaflash

    Joined:
    Jan 13, 2016
    Messages:
    43
    Likes Received:
    17
    3CX is not Asterisk based so it's not affected.
     
    wardmundy likes this.
  16. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    Have you tried it with nat=yes and leaving 10000-20000 blocked? I know it sounds crazy on a cloud server, but we've never had much luck with any calls with nat=no regardless of the location of the server.
     
  17. KUMARULLAL

    KUMARULLAL Guru

    Joined:
    Feb 20, 2008
    Messages:
    195
    Likes Received:
    16
    Yes, tried nat=yes with no luck
     
  18. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
  19. hawk#1

    hawk#1 Member

    Joined:
    Nov 3, 2015
    Messages:
    40
    Likes Received:
    15
    @wardmundy
    do you plan on including the change in your snapshots for new installs, or will we need to remember to change Travelin’ Man on clean installs?
     
  20. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    Already modified in the new installs. Also just finished a refresh on Incredible PBX 13 for CentOS 6.x that includes latest Asterisk 13.17.1 fix.

    [​IMG]
     
    hawk#1 likes this.

Share This Page