| Summary: | ASTERISK-13310: Security Vulnerability | ||
| Reporter: | nick_lewis (nick_lewis) | Labels: | |
| Date Opened: | 2009-03-16 11:03:48 | Date Closed: | 2011-06-07 14:03:03 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | The IETF have published a description of a SIP security vulnerability at http://tools.ietf.org/id/draft-state-sip-relay-attack-00.txt It proposes that user agent clients (such as asterisk with sip trunks) mitigate the threat by accepting incoming invites only from a configured outbound proxy: "This means that [the] UA shall only accept SIP messages with a source IP address set to the outbound proxy's IP address" In the current implementation asterisk does try to perform some IP address matching on incoming SIP invites but this does not include matching to the outbound proxy. | ||
| Comments: | By: Leif Madsen (lmadsen) 2009-04-01 19:23:22 Assigned to file for now to review. Please reset back to 'New' if you are unable to move this forward. Thanks! By: Joshua C. Colp (jcolp) 2009-04-15 12:51:55 After looking at this and having some discussions with people I've come to the conclusion that this can be overcome by a properly configured sip.conf. As we don't force a user to configure things in a specific way it is up to them. | ||