AST-2008-010: Asterisk IAX 'POKE' resource exhaustion

           Asterisk Project Security Advisory - AST-2008-010

±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | Asterisk IAX 'POKE' resource exhaustion |
|----------------------±------------------------------------------------|
| Nature of Advisory | Denial of service |
|----------------------±------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------±------------------------------------------------|
| Severity | Critical |
|----------------------±------------------------------------------------|
| Exploits Known | Yes |
|----------------------±------------------------------------------------|
| Reported On | July 18, 2008 |
|----------------------±------------------------------------------------|
| Reported By | Jeremy McNamara < jj AT nufone DOT net > |
|----------------------±------------------------------------------------|
| Posted On | July 22, 2008 |
|----------------------±------------------------------------------------|
| Last Updated On | July 22, 2008 |
|----------------------±------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|----------------------±------------------------------------------------|
| CVE Name | CVE-2008-3263 |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | By flooding an Asterisk server with IAX2 'POKE' |
| | requests, an attacker may eat up all call numbers |
| | associated with the IAX2 protocol on an Asterisk server |
| | and prevent other IAX2 calls from getting through. Due |
| | to the nature of the protocol, IAX2 POKE calls will |
| | expect an ACK packet in response to the PONG packet sent |
| | in response to the POKE. While waiting for this ACK |
| | packet, this dialog consumes an IAX2 call number, as the |
| | ACK packet must contain the same call number as was |
| | allocated and sent in the PONG. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | The implementation has been changed to no longer allocate |
| | an IAX2 call number for POKE requests. Instead, call |
| | number 1 has been reserved for all responses to POKE |
| | requests, and ACK packets referencing call number 1 will |
| | be silently dropped. |
±-----------------------------------------------------------------------+

±--------------------------------------------------------------------------------------------------------------------------------+
|Commentary|This vulnerability was reported to us without exploit code, less than two days before
public release, with exploit |
| |code. Additionally, we were not informed of the public release of the exploit code and
only learned this fact from a |
| |third party. We reiterate that this is irresponsible security disclosure, and we
recommend that in the future, |
| |adequate time be given to fix any such vulnerability. Recommended reading:
|
|http://www.oisafety.org/guidelines/Guidelines&#37;20for&#37;20Security&#37;20Vulnerability&#37;20Reporting&#37;20and&#37;20Response&#37;20V2.0.pdf|
±--------------------------------------------------------------------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±---------------------------------------------------------------------------------------------------------------------------+
|Links|http://www.oisafety.org/guidelines/Guidelines&#37;20for&#37;20Security&#37;20Vulnerability&#37;20Reporting&#37;20and&#37;20Response&#37;20V2.0.pdf|
|-----±---------------------------------------------------------------------------------------------------------------------|
| |http://www.securityfocus.com/bid/30321/info
±---------------------------------------------------------------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-010.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-010.html |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - AST-2008-010
          Copyright (c) 2008 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.