[Pkg-voip-commits] r9408 - in /asterisk/branches/lenny-security/debian: README.Debian changelog control patches/AST-2011-013 patches/series rules

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Thu Dec 15 12:28:19 UTC 2011 

Author: tzafrir
Date: Thu Dec 15 12:28:18 2011
New Revision: 9408

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9408
Log:
1:1.4.21.2~dfsg-3+lenny6: AST-2011-013

Patch AST-2011-013: potential remote information disclosure
Closes: #651552 (CVE-2011-4597 The side issue. The DoS is
inapplicable to Lenny).
- The patch changeges the sample sip.conf . We change the sample
  config files, but not the files under /etc/asterisk .

Added:
    asterisk/branches/lenny-security/debian/patches/AST-2011-013
Modified:
    asterisk/branches/lenny-security/debian/README.Debian
    asterisk/branches/lenny-security/debian/changelog
    asterisk/branches/lenny-security/debian/control
    asterisk/branches/lenny-security/debian/patches/series
    asterisk/branches/lenny-security/debian/rules

Modified: asterisk/branches/lenny-security/debian/README.Debian
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/README.Debian?rev=9408&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/README.Debian (original)
+++ asterisk/branches/lenny-security/debian/README.Debian Thu Dec 15 12:28:18 2011
@@ -59,7 +59,7 @@
 
 
 Open Files Limit
-===============
+================
 Asterisk uses one file-handle (and sometimes more) per call. Hence if you 
 have many simultaneous calls, you often bump into the per-process limit 
 of 1024 file handles, and get the error: "Too man open files".
@@ -67,6 +67,49 @@
 To enlarge that limit, set: MAXFILES in /etc/default/zaptel.
 
 
+Nat=yes by Default
+==================
+Short version:
+As of version 1.4.21.2~dfsg-3+lenny6 (upstream 1.4.43), the default has
+changged from "nat=no" to "nat=yes" in sip.conf. Chances are this is
+the right setting for you, so just leave it. If you have different
+configuration between peer/user settings and the global ones, you'll get
+a warning. So just leave the defaults (nat=yes).
+
+Long version:
+This change is due to AST-2011-013 (CVE-2011-4597). A SIP client (UAC)
+contacts Asterisk acting as a SIP server (UAS). Asterisk needs to know
+where to send the response to. Originally Asterisk has followed the
+recommendations in RFC 3261, Asterisk sends the response to using the
+port number specified in the message. This tends to break when NAT is
+involved, and hence the option "rport" was added in RFC3581: just send
+it to the port number you recieved it from. This is really the sane
+thing to do.
+
+Forcing the usage of rport is probably the wise thing to do in just
+about any case. Rumour has it that some Cisco phones will break if it
+is used. More importantly, forcing it may break RFC3261 compliance, if
+you need it. But apart from that, there's really no reason for you to
+use it.
+
+Many SIP clients just added the rport option to their requests. But
+others didn't. Asterisk has added a configuration option "nat" to force
+using rport ("nat=yes". This also sets a few other things). Later
+versions of Asterisk have added 'nat=force_rport' that only forces rport.
+
+The problem is that the option has to be applied even before the remote
+client is fully authenticated: if the configuration differs between
+different peers / users, Asterisk will have to rely on the
+information in the initial request packet in order to know which user /
+peer this is and send the response to the right port number (originating
+or the one specified in the request).
+
+Thus in the worst case where the global settings are not set but it is set
+for each peer, a remote attacker can test if a user exists by creating
+a request (e.g. INVITE) with port set to $port1 and origignating from
+$port2. If the response goes to $port2, the user exists.
+
+
 Enjoy your PBX!
 
 Kilian Krause (for the pkg-voip team)

Modified: asterisk/branches/lenny-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/changelog?rev=9408&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/changelog (original)
+++ asterisk/branches/lenny-security/debian/changelog Thu Dec 15 12:28:18 2011
@@ -1,3 +1,14 @@
+asterisk (1:1.4.21.2~dfsg-3+lenny6) oldstable-security; urgency=high
+
+  * UNRELEASED
+  *  Patch AST-2011-013: potential remote information disclosure
+     Closes: #651552 (CVE-2011-4597 The side issue. The DoS is
+     inapplicable to Lenny).
+     - The patch changeges the sample sip.conf . We change the sample
+       config files, but not the files under /etc/asterisk .
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Thu, 15 Dec 2011 11:50:30 +0200
+
 asterisk (1:1.4.21.2~dfsg-3+lenny5) oldstable-security; urgency=high
 
   * Patch AST-2011-008: Use strlen rather than ast_str_len (Closes: #633481).

Modified: asterisk/branches/lenny-security/debian/control
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/control?rev=9408&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/control (original)
+++ asterisk/branches/lenny-security/debian/control Thu Dec 15 12:28:18 2011
@@ -3,7 +3,7 @@
 Section: comm
 Maintainer: Debian VoIP Team <pkg-voip-maintainers at lists.alioth.debian.org>
 Uploaders: Mark Purcell <msp at debian.org>, Kilian Krause <kilian at debian.org>, Tzafrir Cohen <tzafrir at debian.org>, Faidon Liambotis <paravoid at debian.org>
-Build-Depends: debhelper (>= 6.0.7), quilt, zlib1g-dev, libreadline5-dev, libgsm1-dev, libssl-dev, libtonezone-dev (>= 1:1.4.1~0), libasound2-dev, libpq-dev, unixodbc-dev, libpri-dev (>= 1.4.1), libvpb-dev, zaptel-source (>= 1:1.4.1~0), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev, libspeexdsp-dev, graphviz, libcurl4-openssl-dev | libcurl-dev, doxygen, gsfonts, libpopt-dev, libopenh323-dev (>= 1.17.4), libiksemel-dev, libradiusclient-ng-dev, freetds-dev, libvorbis-dev, libsnmp-dev, libc-client2007b-dev, libcap2-dev
+Build-Depends: debhelper (>= 6.0.7), quilt, zlib1g-dev, libreadline5-dev, libgsm1-dev, libssl-dev, libtonezone-dev (>= 1:1.4.1~0), libasound2-dev, libpq-dev, unixodbc-dev, libpri-dev (>= 1.4.1), libvpb-dev, zaptel-source (>= 1:1.4.1~0), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev, libspeexdsp-dev, graphviz, libcurl4-openssl-dev | libcurl-dev, doxygen, gsfonts, libpopt-dev, libopenh323-dev (>= 1.17.4), libiksemel-dev, libradiusclient-ng-dev, freetds-dev, libvorbis-dev, libsnmp-dev, libc-client2007b-dev, libcap2-dev, patchutils
 Standards-Version: 3.8.0
 Homepage: http://www.asterisk.org/
 Vcs-Svn: svn://svn.debian.org/pkg-voip/asterisk/trunk/

Added: asterisk/branches/lenny-security/debian/patches/AST-2011-013
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-013?rev=9408&op=file
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-013 (added)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-013 Thu Dec 15 12:28:18 2011
@@ -1,0 +1,176 @@
+From: Terry Wilson <twilson at digium.com>
+Date: Mon, 21 Nov 2011 19:54:07 +0000
+Subject: Default to nat=yes; warn when nat in general and peer differ
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=345776
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-18862
+
+It is possible to enumerate SIP usernames when the general and user/peer
+nat settings differ in whether to respond to the port a request is sent
+from or the port listed for responses in the Via header. In 1.4 and 1.6.2,
+this would mean if one setting was nat=yes or nat=route and the other was
+either nat=no or nat=never. In 1.8 and 10, this would mean when one was
+nat=force_rport and the other was nat=no.
+
+In order to address this problem, it was decided to switch the default
+behavior to nat=yes/force_rport as it is the most commonly used option
+and to strongly discourage setting nat per-peer/user when at all possible.
+
+For more discussion of the issue, please see:
+  http://lists.digium.com/pipermail/asterisk-dev/2011-November/052191.html
+
+Review: https://reviewboard.asterisk.org/r/1591/
+
+
+---
+ CHANGES                 |    8 ++++++++
+ channels/chan_sip.c     |   41 +++++++++++++++++++++++++++++------------
+ configs/sip.conf.sample |   17 ++++++++++-------
+ 3 files changed, 47 insertions(+), 19 deletions(-)
+
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,11 @@
++Changes since Asterisk 1.4.42
++
++    * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
++      now defaults to yes. It is very important that phones requiring nat=no be
++      specifically set as such instead of relying on the default setting. If at all
++      possible, all devices should have nat settings configured in the general section as
++      opposed to configuring nat per-device.
++
+ Changes since Asterisk 1.2:
+ 
+     * over 4,000 commits since 1.2
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -16633,15 +16633,14 @@ static int handle_common_options(struct
+ 		}
+ 	} else if (!strcasecmp(v->name, "nat")) {
+ 		ast_set_flag(&mask[0], SIP_NAT);
+-		ast_clear_flag(&flags[0], SIP_NAT);
+-		if (!strcasecmp(v->value, "never"))
+-			ast_set_flag(&flags[0], SIP_NAT_NEVER);
+-		else if (!strcasecmp(v->value, "route"))
+-			ast_set_flag(&flags[0], SIP_NAT_ROUTE);
+-		else if (ast_true(v->value))
+-			ast_set_flag(&flags[0], SIP_NAT_ALWAYS);
+-		else
+-			ast_set_flag(&flags[0], SIP_NAT_RFC3581);
++		ast_set_flag(&flags[0], SIP_NAT_ALWAYS);
++		if (!strcasecmp(v->value, "never")) {
++			ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_NEVER);
++		} else if (!strcasecmp(v->value, "route")) {
++			ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_ROUTE);
++		} else if (ast_false(v->value)) {
++			ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_RFC3581);
++		}
+ 	} else if (!strcasecmp(v->name, "canreinvite")) {
+ 		ast_set_flag(&mask[0], SIP_REINVITE);
+ 		ast_clear_flag(&flags[0], SIP_REINVITE);
+@@ -17305,6 +17304,15 @@ static struct sip_peer *build_peer(const
+ 	return peer;
+ }
+ 
++static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
++	int global_nat, specific_nat;
++
++	if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT))) {
++		ast_log(LOG_WARNING, "sip.conf: Different 'nat' settings between [general] and section %s. See /usr/share/doc/asterisk/README.Debian.gz (global='%s' peer/user='%s')\n",
++				cat, nat2str(global_nat), nat2str(specific_nat));
++	}
++}
++
+ /*! \brief Re-read SIP.conf config file
+ \note	This function reloads all config data, except for
+ 	active peers (with registrations). They will only
+@@ -17440,9 +17448,10 @@ static int reload_config(enum channelrel
+ 	ast_copy_string(default_mohinterpret, DEFAULT_MOHINTERPRET, sizeof(default_mohinterpret));
+ 	ast_copy_string(default_mohsuggest, DEFAULT_MOHSUGGEST, sizeof(default_mohsuggest));
+ 	ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten));
+-	ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833);			/*!< Default DTMF setting: RFC2833 */
+-	ast_set_flag(&global_flags[0], SIP_NAT_RFC3581);			/*!< NAT support if requested by device with rport */
+-	ast_set_flag(&global_flags[0], SIP_CAN_REINVITE);			/*!< Allow re-invites */
++	ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
++	ast_set_flag(&global_flags[0], SIP_NAT_RFC3581);  /*!< NAT support if requested by device with rport */
++	ast_set_flag(&global_flags[0], SIP_CAN_REINVITE); /*!< Allow re-invites */
++	ast_set_flag(&global_flags[0], SIP_NAT_ALWAYS);   /*!< Default to nat=yes */
+ 
+ 	/* Debugging settings, always default to off */
+ 	dumphistory = FALSE;
+@@ -17798,6 +17807,7 @@ static int reload_config(enum channelrel
+ 			if (is_user) {
+ 				user = build_user(cat, ast_variable_browse(cfg, cat), NULL, 0);
+ 				if (user) {
++					display_nat_warning(cat, reason, &user->flags[0]);
+ 					ASTOBJ_CONTAINER_LINK(&userl,user);
+ 					ASTOBJ_UNREF(user, sip_destroy_user);
+ 					user_count++;
+@@ -17806,6 +17816,9 @@ static int reload_config(enum channelrel
+ 			if (is_peer) {
+ 				peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0);
+ 				if (peer) {
++					if (!is_user) {
++						display_nat_warning(cat, reason, &peer->flags[0]);
++					}
+ 					ASTOBJ_CONTAINER_LINK(&peerl,peer);
+ 					ASTOBJ_UNREF(peer, sip_destroy_peer);
+ 					peer_count++;
+@@ -17813,6 +17826,7 @@ static int reload_config(enum channelrel
+ 			}
+ 		}
+ 	}
++
+ 	if (ast_find_ourip(&__ourip, bindaddr)) {
+ 		ast_log(LOG_WARNING, "Unable to get own IP address, SIP disabled\n");
+ 		ast_config_destroy(cfg);
+--- a/configs/sip.conf.sample
++++ b/configs/sip.conf.sample
+@@ -288,12 +288,20 @@ srvlookup=yes			; Enable DNS SRV lookups
+ ; firewall's support of SIP+RTP ports.  You configure Asterisk choice of RTP
+ ; ports for incoming audio in rtp.conf
+ ;
+-;nat=no				; Global NAT settings  (Affects all peers and users)
+-                                ; yes = Always ignore info and assume NAT
++;nat=yes                        ; Global NAT settings  (Affects all peers and users)
++                                ; yes = Always ignore info and assume NAT (default)
+                                 ; no = Use NAT mode only according to RFC3581 (;rport)
+                                 ; never = Never attempt NAT mode or RFC3581 support
+ 				; route = Assume NAT, don't send rport 
+ 				; (work around more UNIDEN bugs)
++;
++; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
++; the nat setting in a peer definition, then the peer username will be discoverable
++; by outside parties as Asterisk will respond to different ports for defined and
++; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
++; GENERAL SECTION. Specifically, if nat=route or nat=yes in one section and nat=no or
++; nat=never in the other, then valid users with settings differing from those in the
++; general section will be discoverable.
+ 
+ ;----------------------------------- MEDIA HANDLING --------------------------------
+ ; By default, Asterisk tries to re-invite the audio to an optimal path. If there's
+@@ -546,7 +554,6 @@ srvlookup=yes			; Enable DNS SRV lookups
+ 				; on incoming calls to Asterisk
+ ;host=192.168.0.23		; we have a static but private IP address
+ 				; No registration allowed
+-;nat=no				; there is not NAT between phone and Asterisk
+ ;canreinvite=yes		; allow RTP voice traffic to bypass Asterisk
+ ;dtmfmode=info			; either RFC2833 or INFO for the BudgeTone
+ ;call-limit=1			; permit only 1 outgoing call and 1 incoming call at a time
+@@ -578,7 +585,6 @@ srvlookup=yes			; Enable DNS SRV lookups
+ ;regexten=1234			; When they register, create extension 1234
+ ;callerid="Jane Smith" <5678>
+ ;host=dynamic			; This device needs to register
+-;nat=yes			; X-Lite is behind a NAT router
+ ;canreinvite=no			; Typically set to NO if behind NAT
+ ;disallow=all
+ ;allow=gsm			; GSM consumes far less bandwidth than ulaw
+@@ -643,9 +649,6 @@ srvlookup=yes			; Enable DNS SRV lookups
+ ;type=friend
+ ;secret=blah
+ ;qualify=200			; Qualify peer is no more than 200ms away
+-;nat=yes			; This phone may be natted
+-				; Send SIP and RTP to the IP address that packet is 
+-				; received from instead of trusting SIP headers 
+ ;host=dynamic			; This device registers with us
+ ;canreinvite=no			; Asterisk by default tries to redirect the
+ 				; RTP media stream (audio) to go directly from

Modified: asterisk/branches/lenny-security/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/series?rev=9408&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/series (original)
+++ asterisk/branches/lenny-security/debian/patches/series Thu Dec 15 12:28:18 2011
@@ -110,3 +110,5 @@
 AST-2011-008
 AST-2011-010
 AST-2011-011
+# Also used directly in debian/rules:
+AST-2011-013

Modified: asterisk/branches/lenny-security/debian/rules
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/rules?rev=9408&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/rules (original)
+++ asterisk/branches/lenny-security/debian/rules Thu Dec 15 12:28:18 2011
@@ -191,6 +191,11 @@
 	# sensitive information, such as passwords
 	chmod o-rwx $(CURDIR)/debian/asterisk-config/etc/asterisk/*
 	chmod o+rx  $(CURDIR)/debian/asterisk-config/etc/asterisk/manager.d
+	# Unapply the changes in AST-2011-013 to config file chan_sip.conf:
+	# (Changes left in the patch as we do want to keep the sample config
+	# files fixed)
+	filterdiff -i '*/configs/sip.conf.sample' $(CURDIR)/debian/patches/AST-2011-013 \
+		| patch -R $(CURDIR)/debian/asterisk-config/etc/asterisk/sip.conf
 	dh_installdeb -i
 	dh_gencontrol -i
 	dh_md5sums -i

More information about the Pkg-voip-commits mailing list