Summary: | ASTERISK-04500: someone can place an unauthenticated call even though auth=rsa is defined on the host | ||
Reporter: | malted (malted) | Labels: | |
Date Opened: | 2005-06-29 08:02:14 | Date Closed: | 2011-06-07 14:02:42 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Core/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | Steps to reproduce Host has this iax.conf --file begin-- [general] bindport=4569 bandwidth=high disallow=lpc10 ; Icky sound quality... Mr. Roboto. allow=alaw jitterbuffer=no tos=lowdelay [iaxuser] type=user auth=rsa inkey=asdf --file end-- The client (aka the attacker) has this iax.conf --file begin-- [general] bindport=4569 ; bindport and bindaddr may be specified bandwidth=high allow=alaw disallow=lpc10 ; Icky sound quality... Mr. Roboto. jitterbuffer=no forcejitterbuffer=no tos=lowdelay autokill=yes [iaxhost] type=peer host=voip.iaxhost.com username=iaxuser --file end-- Client is CVS Head (2005-06-28) and the host is 1.0.8. The evil attacker wants to place calls via the host but doesn't know the rsa-key (and thus providing neither auth= nor outkey). If this evil client does Dial(IAX2/iaxhost/62583) the host is "Accepting unauthenticated call from attacker". This is a serious security problem. | ||
Comments: | By: Brian West (bkw918) 2005-06-29 14:13:12 its not a block but might be major, I suspect a config error. Did you init the keys? with the CLI command "init keys" to make the RSA key active? Also put context=NOSUCH-CONTEXT in the [general] section on the iaxhost. /b By: Michael Jerris (mikej) 2005-07-06 11:10:06 Any updates on this? 1 week no response. This will be closed as a probable config error if we get no response. By: malted (malted) 2005-07-06 11:21:19 I upgraded to cvs-head and it seems to work as expected. Please close this bug, because it contains a config error. (inkey= instead of inkeys=) But it still may be risky, because someone is left in the feeling that it would be sufficiant to specify auth=rsa to exclude all peers that aren't authenticated via rsa. By: Michael Jerris (mikej) 2005-07-06 11:25:59 Closed at OP's request. |