Earlier this week, the security team at Digium released Asterisk Projects Security Advisory AST-2009-010 identifying an interesting attack where an attacker can send a malformed RTP packet within the RTP stream and crash the Asterisk system. The fix identified is to upgrade to the latest version of Asterisk.
My one bit of feedback to the folks at Digium would be that their advisories do not provide any information about mitigating circumstances. (Would be great if they could add such a section.)
In this particular case, I confirmed with Digium that this advisory only affects systems that allow public unauthenticated calls over an IP connection. So Asterisk systems that are only used for PSTN connectivity – or only allow authenticated connections/calls – are not vulnerable to this attack. My Digium contact indicated:
The attacker would have to be capable of negotiating a RTP stream and then sending the Comfort Noise payload within the stream to crash the system.
He also indicated that IAX connections are not affected as they do not use RTP streams. So basically you are only vulnerable to this attack if you allow anyone to connect to your Asterisk box over an IP network presumably using the SIP protocol.
If you aren’t allowing those connections, it’s probably still good to upgrade… but you are apparently not vulnerable to the specific attacks outlined in the advisory.
We discussed this exact senario in detail during the most recent session on SIP Tunking security during the Spring ITExpo 2009.
The vunerability is one example of the threats that exist when exposing any IP-PBX (including Asterisk) to the outside world without an SBC with packet inspection playing the role of security guard. We strongly suggest that our solution designers use our eSBC function in our MSBG platform to secure their point of entry.
If there is a crack, the bad guys will find it – especially in the open source world when they have the source code to your IP-PBX.
No IT manager want a resume-generating event to occur on their IP-PBX.