Summary: | ASTERISK-15004: [patch] Security Problem | ||
Reporter: | Thomas Athineou (thom4fun) | Labels: | |
Date Opened: | 2009-10-18 03:22:24 | Date Closed: | 2009-10-26 14:48:09 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) 16091.diff ( 1) CLI_OUT.txt | |
Description: | We use Asterisk 1.6.1.6. It seems that Asterisk will ignore the deny and permit values. I have a try just like in 1.4.... where it works fine, but if I use the values: deny=0.0.0.0/0.0.0.0 permit=192.168.30.10 the call will be executed from everywhere. Also I try the insecure option but I do not find a reason to give some special clients the possibility to make an invite without authentication. It looks like: Everybody or Nobody! Also we try to use these options in the file sip.conf and PGSQL database. Are there some hints to get deny/permit to work? Regards Thomas ****** ADDITIONAL INFORMATION ****** Same Problem with or without Realtime PGSQL | ||
Comments: | By: Elazar Broad (ebroad) 2009-10-18 14:56:55 Try adding a /255.255.255.255 after the single IP, if that doesn't work, try contactpermit/contactdeny. By: Thomas Athineou (thom4fun) 2009-10-19 03:17:09 Hello ebroad, thanks for answer. Now I have a new user in Sip.Conf: [12345] type=friend context=athineou secret=333 host=dynamic deny=0.0.0.0/0.0.0.0 permit=192.168.99.60/255.255.255.255 contactdeny=0.0.0.0/0.0.0.0 contactpermit=192.168.99.60/255.255.255.255 Now I do not can register the client, but the client can dial an execute the dialplan. Also: Changes of deny and permit effects to the register command but not to the dialcommand and the changes effects only after restart not after reload or sip reload. Any further suggestions? Regards Thomas By: Elazar Broad (ebroad) 2009-10-19 12:12:48 Ok, contactpermit/contactdeny restrict where a peer can register from. In trunk, permit/deny seem to do this as well. I can make a call though(call without reg), even if I deny all for the peer, so I am going to confirm this one. By: Thomas Athineou (thom4fun) 2009-10-19 12:24:25 Hello ebroad, please excuse my english, but what does it mean to confirm it? Is there somebody where it can patch? Or will it be repared in the next version? Regards and greetings from greece Thomas By: Elazar Broad (ebroad) 2009-10-19 12:37:43 Quick question, what do you have for allowguest in your sip.conf? By: Thomas Athineou (thom4fun) 2009-10-19 12:46:47 allowguest = no By: Thomas Athineou (thom4fun) 2009-10-19 12:57:48 What I want to do is following: I run asterisk with very high load. What will mean, that the most channels I used will playback an .wav file. What I saw is that one call will use 0.1% of CPU Power. But if I use more than round about 130 Channals at the same time, there is one or more "Ghost Channels". That channels will use 10% ore more CPU Load per Channel. I think that there are too many SIP Headers between asterisk and the client. And my try is, to use an invite without authentication to save a lot of SIP requests. In earlier versions I use insecure = invite so that an client that is regesterd do not have a need of authentication, but this feature seems out of order in version 1.6.. So my try was to get the security over deny/permit.... By: Elazar Broad (ebroad) 2009-10-19 13:08:53 insecure=invite should work in 1.6, though in my humble opinion, the challenge authentication used by SIP is pretty insignificant as far as CPU usage is concerned. With that said, permit/deny, at least from its design intentions should restrict traffic on a per peer basis, though I am discussing this with an Asterisk developer. Ill see if I can put together a patch for this soon.. By: Thomas Athineou (thom4fun) 2009-10-19 13:45:05 Have many thanks for your help and cooperation. I will wait for your patch to have a try with it. After patching the asterisk, I can give you more information regarding the high load issue. By the way, the information I give are wrong. First I get a lot of SIP response code 500 before the CPU load will go higher and higher, but not at 130 Channels. This will be effect if I use more then 130 active calls with more than round about 200 active Channels. Please sorry for the first wrong information. Regards Thomas By: Elazar Broad (ebroad) 2009-10-19 14:42:43 Try this: [12345] type=user context=athineou secret=333 host=dynamic deny=0.0.0.0/0.0.0.0 permit=192.168.99.60/255.255.255.255 insecure=invite By: Thomas Athineou (thom4fun) 2009-10-20 00:03:32 I change to: [12345] type=user context=athineou secret=333 host=dynamic deny=0.0.0.0/0.0.0.0 permit=192.168.99.60/255.255.255.255 insecure=invite nat=yes because the asterisk has a public IP and I am behind NAT but deny will ignore, you can dial from everywhere... the client is not registerd!!! (I do sip reload and also restart) By: Thomas Athineou (thom4fun) 2009-10-20 00:52:39 also now I can dial from everywhere without any secret (without a password) from everywhere By: Elazar Broad (ebroad) 2009-10-20 09:24:25 Can you please post as sip debug and a verbose trace. You can accomplish this by issuing: sip set debug on core set verbose 3 in the Asterisk CLI. Thanks! By: Thomas Athineou (thom4fun) 2009-10-20 12:44:44 Sure, please find attached file CLI_Out.tyt. Is it what you are asked for? Regards Thomas By: Elazar Broad (ebroad) 2009-10-20 14:55:04 After discussing this with some Asterisk developers on #asterisk-dev, permit/deny only work for registrations, while they really should work for all traffic, so we definitely have a bug here. I will see if I can put together a patch this week, though I can't guarantee anything... By: Elazar Broad (ebroad) 2009-10-20 15:36:11 The attached patch is against SVN trunk, though it should apply cleanly to 1.6.1.6. It is a quick(and somewhat dirty) copy and paste from register_verify(), but it seems to do the job. By: Thomas Athineou (thom4fun) 2009-10-20 16:17:07 Many thanks for your help, there is no problem to wait some days. We are happy to have asterisk, what a big project, what a nice software, all for free... I'll be waiting...... But, please allow one question more. Today I have again a try to make more calls with asterisk and any way I try, I run in errors if I use more then 140 active calls with 200 channels all with SIP, no translation to diffrent codecs, with a lot of power on the server. Is it a limit of asterisk? (On a diffrent machine, we run more then 60.000 calls today, limit the maximum of active calls to 130, and run without any errors!!!) Greatings Thomas By: Jeff Peeler (jpeeler) 2009-10-20 18:12:12 ebroad: I assume I'll be able to talk to you about this tomorrow on IRC, but I'm finding calls are going through with a user configured to deny all even in 1.4. By: Elazar Broad (ebroad) 2009-10-20 18:47:35 That would be bad. I should be on for a bit tomorrow, and maybe later tonight if you are around. In my tests, my UA was getting 403's... By: Digium Subversion (svnbot) 2009-10-26 14:45:13 Repository: asterisk Revision: 225912 U trunk/channels/chan_sip.c ------------------------------------------------------------------------ r225912 | jpeeler | 2009-10-26 14:45:12 -0500 (Mon, 26 Oct 2009) | 12 lines ACL check not present for verifying SIP INVITEs The ACL check in check_peer_ok was missing and has now been restored. The missing check allowed for calls to be made on prohibited networks where an ACL was defined in sip.conf and the allowguest option was set to off. See the AST security advisory below for more information. Merge code associated with AST-2009-007. (closes issue ASTERISK-15004) Reported by: thom4fun ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=225912 By: Digium Subversion (svnbot) 2009-10-26 14:46:16 Repository: asterisk Revision: 225913 _U branches/1.6.1/ U branches/1.6.1/channels/chan_sip.c ------------------------------------------------------------------------ r225913 | jpeeler | 2009-10-26 14:46:16 -0500 (Mon, 26 Oct 2009) | 19 lines Merged revisions 225912 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ........ r225912 | jpeeler | 2009-10-26 14:40:26 -0500 (Mon, 26 Oct 2009) | 12 lines ACL check not present for verifying SIP INVITEs The ACL check in check_peer_ok was missing and has now been restored. The missing check allowed for calls to be made on prohibited networks where an ACL was defined in sip.conf and the allowguest option was set to off. See the AST security advisory below for more information. Merge code associated with AST-2009-007. (closes issue ASTERISK-15004) Reported by: thom4fun ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=225913 By: Digium Subversion (svnbot) 2009-10-26 14:47:05 Repository: asterisk Revision: 225914 _U branches/1.6.2/ U branches/1.6.2/channels/chan_sip.c ------------------------------------------------------------------------ r225914 | jpeeler | 2009-10-26 14:47:05 -0500 (Mon, 26 Oct 2009) | 19 lines Merged revisions 225912 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ........ r225912 | jpeeler | 2009-10-26 14:40:26 -0500 (Mon, 26 Oct 2009) | 12 lines ACL check not present for verifying SIP INVITEs The ACL check in check_peer_ok was missing and has now been restored. The missing check allowed for calls to be made on prohibited networks where an ACL was defined in sip.conf and the allowguest option was set to off. See the AST security advisory below for more information. Merge code associated with AST-2009-007. (closes issue ASTERISK-15004) Reported by: thom4fun ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=225914 By: Digium Subversion (svnbot) 2009-10-26 14:47:26 Repository: asterisk Revision: 225915 U tags/1.6.1.8/channels/chan_sip.c ------------------------------------------------------------------------ r225915 | jpeeler | 2009-10-26 14:47:25 -0500 (Mon, 26 Oct 2009) | 12 lines ACL check not present for verifying SIP INVITEs The ACL check in check_peer_ok was missing and has now been restored. The missing check allowed for calls to be made on prohibited networks where an ACL was defined in sip.conf and the allowguest option was set to off. See the AST security advisory below for more information. Merge code associated with AST-2009-007. (closes issue ASTERISK-15004) Reported by: thom4fun ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=225915 By: Digium Subversion (svnbot) 2009-10-26 14:48:08 Repository: asterisk Revision: 225916 _U branches/1.6.0/ ------------------------------------------------------------------------ r225916 | jpeeler | 2009-10-26 14:48:08 -0500 (Mon, 26 Oct 2009) | 18 lines Blocked revisions 225912 via svnmerge ........ r225912 | jpeeler | 2009-10-26 14:40:26 -0500 (Mon, 26 Oct 2009) | 12 lines ACL check not present for verifying SIP INVITEs The ACL check in check_peer_ok was missing and has now been restored. The missing check allowed for calls to be made on prohibited networks where an ACL was defined in sip.conf and the allowguest option was set to off. See the AST security advisory below for more information. Merge code associated with AST-2009-007. (closes issue ASTERISK-15004) Reported by: thom4fun ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=225916 |