Summary:ASTERISK-15121: security issue - Chinese IPs somehow are making calls without authentication
Reporter:Lee Howard (faxguy)Labels:
Date Opened:2009-11-11 17:15:53.000-0600Date Closed:2011-06-07 14:07:20
Versions:Frequency of
Description:This is from the CLI.  I don't know who is, but for at least a week now they've (that whole Class C network) been making calls out through my Asterisk system without authentication.  I don't know how...

   -- Executing [011441616604001@default:1] Dial("SIP/", "IAX2/obfuscated-user:obfuscated-pass@voip-co2.teliax.com/011441616604001") in new stack
   -- Called obfuscated-user:obfuscated-pass@voip-co2.teliax.com/011441616604001
   -- Call accepted by (format ulaw)
   -- Format for call is ulaw
   -- IAX2/ is ringing
   -- IAX2/ stopped sounds
   -- IAX2/ answered SIP/
   -- Hungup 'IAX2/'
 == Spawn extension (default, 011441616604001, 1) exited non-zero on 'SIP/'

To remedy this I have simply firewalled out their IP range.  But I'd like to fix the problem with the SIP driver directly.
Comments:By: David Brillert (aragon) 2009-11-11 17:40:46.000-0600

I think you will find this is related to the following:

By: David Brillert (aragon) 2009-11-11 17:42:35.000-0600

Also several patches were made to Asterisk as a result of that security patch.
You will probably want to test/upgrade 1.4.27rc4 to get all of the required patches.

By: Lee Howard (faxguy) 2009-11-11 17:59:05.000-0600

AST-2009-006 deals with IAX2.  This is SIP.  Or am I missing something?

By: Jason Parker (jparker) 2009-11-11 18:04:23.000-0600

Did you read doc/security.txt in the source tree?  It does not appear that you have followed it.

Also, without seeing the incoming channel and the SIP debug, it will be impossible to say what is happening here.

By: Lee Howard (faxguy) 2009-11-12 00:10:23.000-0600

qwell, I am not trying to imply in any way that there is no weakness in my dialplan.  I'm just trying to report a bug.  I have now read doc/security.txt, and while it's clear that I did not follow it in my diaplan construction the document doesn't say that the "default" context in the dialplan is intentionally available to the public.  The document doesn't say *why* one should avoid using the "default" context for outbound calls, I assume that it's only because the "default" context is easy to guess its name.

I'm completely capable of reworking the dialplan to keep these rogue callers from getting anywhere.  But what I'm concerned about, and what I'm trying to report here is that there is a security vulnerability that's allowing this to happen.

I understand that the information I've provided is insufficient to figure out what is going on.  I've provided it as a mere illustration in case it was a known issue or in case it was otherwise obvious to someone more familiar with the inner-workings of the SIP channel driver.  Since it does not seem to be a known issue, and since it is insufficient, please tell me what I should do to give you adequate information.  How do I give you the incoming channel and the SIP debug in an unattended way?

By: Alec Davis (alecdavis) 2009-11-12 00:30:40.000-0600

default in sip.conf allowguest=yes

Which as it sounds, any changes you've done in [default] context will allow any 'guest' user to do whatever the default context lets you do, dialout by the sound of things.

refer https://issues.asterisk.org/view.php?id=15101

Please confirm wheter this is you case or not. I want this loop hole closed.

By: Alec Davis (alecdavis) 2009-11-12 00:43:25.000-0600

infact, if you have a clean sip.conf, not from the sip.conf.sample, you won't even have the line to prompt you.

excerpt below from sip.conf installed with 'make samples'.

context=default                 ; Default context for incoming calls
;allowguest=no                  ; Allow or reject guest calls (default is yes)

By: Lee Howard (faxguy) 2009-11-12 00:50:37.000-0600

I do not have any allowguest entry in my sip.conf file.

And now I see that allowguest defaults to yes.  (?!?!?!?!)

How incredibly insane that is.  So, by default Asterisk allows anyone to place calls via SIP without authentication.

I've now set allowguest=no in my [general] section of sip.conf, but let me second the opinion that this is an incredibly insecure default setting.

By: Alec Davis (alecdavis) 2009-11-12 01:43:46.000-0600

what asterisk distribution did you use?

You're own build, or a prebuilt version?

By: Lee Howard (faxguy) 2009-11-12 01:54:23.000-0600

My own build from the Asterisk tarball.

By: Alec Davis (alecdavis) 2009-11-12 02:12:40.000-0600

guess you didn't run "make samples" as that may have overwritten your existing configuration, if you had one.

make samples installs the following file

which contains
;allowguest=no                  ; Allow or reject guest calls (default is yes)

By: Lee Howard (faxguy) 2009-11-12 02:28:49.000-0600

Even if I had run 'make samples' and ended up with that comment in the sip.conf file it's commented-out and the default is still to allow unauthenticated users to place calls in the context specified in [general].

I'm certain that those who are exploiting this know that I'm not the only one who trusts default settings to be secure.

By: Alec Davis (alecdavis) 2009-11-12 02:36:51.000-0600

check out http://www.emergingthreats.net/ and their iptables rules.

By: Leif Madsen (lmadsen) 2009-11-12 07:37:00.000-0600

This is not a bug, or a security issue. It is a configuration issue. Any further discussion should be done on the asterisk-users mailing list.