[Pkg-voip-commits] r9409 - in /asterisk/branches/squeeze/debian: README.Debian changelog control patches/AST-2011-013 patches/series rules
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Sat Dec 17 12:03:43 UTC 2011
Author: tzafrir
Date: Sat Dec 17 12:03:43 2011
New Revision: 9409
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9409
Log:
* Patch AST-2011-013: potential remote information disclosure
Closes: #651552 (CVE-2011-4597 The side issue. The DoS is
inapplicable to Lenny).
- The patch changeges the sample sip.conf . We change the sample
config files, but not the files under /etc/asterisk .
Added:
asterisk/branches/squeeze/debian/patches/AST-2011-013
Modified:
asterisk/branches/squeeze/debian/README.Debian
asterisk/branches/squeeze/debian/changelog
asterisk/branches/squeeze/debian/control
asterisk/branches/squeeze/debian/patches/series
asterisk/branches/squeeze/debian/rules
Modified: asterisk/branches/squeeze/debian/README.Debian
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/README.Debian?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/README.Debian (original)
+++ asterisk/branches/squeeze/debian/README.Debian Sat Dec 17 12:03:43 2011
@@ -192,4 +192,47 @@
live/asterisk is a wrapper to that private copy of Asterisk.
+Nat=yes by Default
+==================
+Short version:
+As of version 1:1.6.2.9-2+squeeze4 (upstream 1.6.2.21), the default has
+changged from "nat=no" to "nat=yes" in sip.conf. Chances are this is
+the right setting for you, so just leave it. If you have different
+configuration between peer/user settings and the global ones, you'll get
+a warning. So just leave the defaults (nat=yes).
+
+Long version:
+This change is due to AST-2011-013 (CVE-2011-4597). A SIP client (UAC)
+contacts Asterisk acting as a SIP server (UAS). Asterisk needs to know
+where to send the response to. Originally Asterisk has followed the
+recommendations in RFC 3261, Asterisk sends the response to using the
+port number specified in the message. This tends to break when NAT is
+involved, and hence the option "rport" was added in RFC3581: just send
+it to the port number you recieved it from. This is really the sane
+thing to do.
+
+Forcing the usage of rport is probably the wise thing to do in just
+about any case. Rumour has it that some Cisco phones will break if it
+is used. More importantly, forcing it may break RFC3261 compliance, if
+you need it. But apart from that, there's really no reason for you to
+use it.
+
+Many SIP clients just added the rport option to their requests. But
+others didn't. Asterisk has added a configuration option "nat" to force
+using rport ("nat=yes". This also sets a few other things). Later
+versions of Asterisk have added 'nat=force_rport' that only forces rport.
+
+The problem is that the option has to be applied even before the remote
+client is fully authenticated: if the configuration differs between
+different peers / users, Asterisk will have to rely on the
+information in the initial request packet in order to know which user /
+peer this is and send the response to the right port number (originating
+or the one specified in the request).
+
+Thus in the worst case where the global settings are not set but it is set
+for each peer, a remote attacker can test if a user exists by creating
+a request (e.g. INVITE) with port set to $port1 and origignating from
+$port2. If the response goes to $port2, the user exists.
+
+
Enjoy your PBX!
Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Sat Dec 17 12:03:43 2011
@@ -6,6 +6,11 @@
[ Tzafrir Cohen ]
* Patch fix_bridging_crash: segfault in bridging API (Closes: #639821).
* README.Debian: clarify datadir pathes (regarding #628415).
+ * Patch AST-2011-013: potential remote information disclosure
+ Closes: #651552 (CVE-2011-4597 The side issue. The DoS is
+ inapplicable to Lenny).
+ - The patch changeges the sample sip.conf . We change the sample
+ config files, but not the files under /etc/asterisk .
-- Tzafrir Cohen <tzafrir at debian.org> Wed, 28 Sep 2011 13:20:18 +0300
Modified: asterisk/branches/squeeze/debian/control
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/control?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/control (original)
+++ asterisk/branches/squeeze/debian/control Sat Dec 17 12:03:43 2011
@@ -42,6 +42,7 @@
libopenr2-dev,
libresample1-dev,
libopenais-dev,
+ patchutils,
zlib1g-dev
Standards-Version: 3.9.0
Homepage: http://www.asterisk.org/
Added: asterisk/branches/squeeze/debian/patches/AST-2011-013
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-013?rev=9409&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-013 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-013 Sat Dec 17 12:03:43 2011
@@ -1,0 +1,183 @@
+Author: Terry Wilson <twilson at digium.com>
+Date: Mon, 21 Nov 2011 20:23:55 +0000
+Subject: Default to nat=yes; warn when nat in general and peer differ
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-18862
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=345800
+
+It is possible to enumerate SIP usernames when the general and user/peer
+nat settings differ in whether to respond to the port a request is sent
+from or the port listed for responses in the Via header. In 1.4 and 1.6.2,
+this would mean if one setting was nat=yes or nat=route and the other was
+either nat=no or nat=never. In 1.8 and 10, this would mean when one was
+nat=force_rport and the other was nat=no.
+
+In order to address this problem, it was decided to switch the default
+behavior to nat=yes/force_rport as it is the most commonly used option
+and to strongly discourage setting nat per-peer/user when at all possible.
+
+For more discussion of the issue, please see:
+ http://lists.digium.com/pipermail/asterisk-dev/2011-November/052191.html
+
+Review: https://reviewboard.asterisk.org/r/1591/
+
+---
+ CHANGES | 12 ++++++++++++
+ channels/chan_sip.c | 37 +++++++++++++++++++++++++------------
+ configs/sip.conf.sample | 17 +++++++++--------
+ 3 files changed, 46 insertions(+), 20 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index f200a60..63ed23b 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -9,6 +9,18 @@
+ ======================================================================
+
+ ------------------------------------------------------------------------------
++--- Functionality changes since Asterisk 1.6.2.20 -------------
++------------------------------------------------------------------------------
++
++SIP Changes
++-----------
++ * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
++ now defaults to yes. It is very important that phones requiring nat=no be
++ specifically set as such instead of relying on the default setting. If at all
++ possible, all devices should have nat settings configured in the general section as
++ opposed to configuring nat per-device.
++
++------------------------------------------------------------------------------
+ --- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2 -------------
+ ------------------------------------------------------------------------------
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 328643e..a9a5085 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -24164,15 +24164,14 @@ static int handle_common_options(struct ast_flags *flags, struct ast_flags *mask
+ }
+ } else if (!strcasecmp(v->name, "nat")) {
+ ast_set_flag(&mask[0], SIP_NAT);
+- ast_clear_flag(&flags[0], SIP_NAT);
+- if (!strcasecmp(v->value, "never"))
+- ast_set_flag(&flags[0], SIP_NAT_NEVER);
+- else if (!strcasecmp(v->value, "route"))
+- ast_set_flag(&flags[0], SIP_NAT_ROUTE);
+- else if (ast_true(v->value))
+- ast_set_flag(&flags[0], SIP_NAT_ALWAYS);
+- else
+- ast_set_flag(&flags[0], SIP_NAT_RFC3581);
++ ast_set_flag(&flags[0], SIP_NAT_ALWAYS);
++ if (!strcasecmp(v->value, "never")) {
++ ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_NEVER);
++ } else if (!strcasecmp(v->value, "route")) {
++ ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_ROUTE);
++ } else if (ast_false(v->value)) {
++ ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_RFC3581);
++ }
+ } else if (!strcasecmp(v->name, "directmedia") || !strcasecmp(v->name, "canreinvite")) {
+ ast_set_flag(&mask[0], SIP_REINVITE);
+ ast_clear_flag(&flags[0], SIP_REINVITE);
+@@ -25124,6 +25123,15 @@ static int peer_markall_func(void *device, void *arg, int flags)
+ return 0;
+ }
+
++static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
++ int global_nat, specific_nat;
++
++ if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT))) {
++ ast_log(LOG_WARNING, "sip.conf: Different 'nat' settings between [general] and section %s. See /usr/share/doc/asterisk/README.Debian.gz (global='%s' peer/user='%s')\n",
++ cat, nat2str(global_nat), nat2str(specific_nat));
++ }
++}
++
+ /*! \brief Re-read SIP.conf config file
+ \note This function reloads all config data, except for
+ active peers (with registrations). They will only
+@@ -25338,9 +25349,10 @@ static int reload_config(enum channelreloadreason reason)
+ ast_copy_string(default_mohinterpret, DEFAULT_MOHINTERPRET, sizeof(default_mohinterpret));
+ ast_copy_string(default_mohsuggest, DEFAULT_MOHSUGGEST, sizeof(default_mohsuggest));
+ ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten));
+- ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
+- ast_set_flag(&global_flags[0], SIP_NAT_RFC3581); /*!< NAT support if requested by device with rport */
+- ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */
++ ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
++ ast_set_flag(&global_flags[0], SIP_NAT_RFC3581); /*!< NAT support if requested by device with rport */
++ ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */
++ ast_set_flag(&global_flags[0], SIP_NAT_ALWAYS); /*!< Default to nat=yes */
+
+ /* Debugging settings, always default to off */
+ dumphistory = FALSE;
+@@ -25993,6 +26005,7 @@ static int reload_config(enum channelreloadreason reason)
+ }
+ peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0);
+ if (peer) {
++ display_nat_warning(cat, reason, &peer->flags[0]);
+ ao2_t_link(peers, peer, "link peer into peers table");
+ if ((peer->type & SIP_TYPE_PEER) && peer->addr.sin_addr.s_addr) {
+ ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table");
+diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample
+index 1eafdb6..e9abacc 100644
+--- a/configs/sip.conf.sample
++++ b/configs/sip.conf.sample
+@@ -660,10 +660,18 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
+ ; The following settings are allowed (both globally and in individual sections):
+ ;
+ ; nat = no ; default. Use NAT mode only according to RFC3581 (;rport)
+-; nat = yes ; Always ignore info and assume NAT
++; nat = yes ; Always ignore info and assume NAT (default)
+ ; nat = never ; Never attempt NAT mode or RFC3581 support
+ ; nat = route ; route = Assume NAT, don't send rport
+ ; ; (work around more UNIDEN bugs)
++;
++; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
++; the nat setting in a peer definition, then the peer username will be discoverable
++; by outside parties as Asterisk will respond to different ports for defined and
++; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
++; GENERAL SECTION. Specifically, if nat=route or nat=yes in one section and nat=no or
++; nat=never in the other, then valid users with settings differing from those in the
++; general section will be discoverable.
+
+ ;----------------------------------- MEDIA HANDLING --------------------------------
+ ; By default, Asterisk tries to re-invite media streams to an optimal path. If there's
+@@ -990,12 +998,10 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
+ type=friend
+
+ [natted-phone](!,basic-options) ; another template inheriting basic-options
+- nat=yes
+ directmedia=no
+ host=dynamic
+
+ [public-phone](!,basic-options) ; another template inheriting basic-options
+- nat=no
+ directmedia=yes
+
+ [my-codecs](!) ; a template for my preferred codecs
+@@ -1030,7 +1036,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
+ ; on incoming calls to Asterisk
+ ;host=192.168.0.23 ; we have a static but private IP address
+ ; No registration allowed
+-;nat=no ; there is not NAT between phone and Asterisk
+ ;directmedia=yes ; allow RTP voice traffic to bypass Asterisk
+ ;dtmfmode=info ; either RFC2833 or INFO for the BudgeTone
+ ;call-limit=1 ; permit only 1 outgoing call and 1 incoming call at a time
+@@ -1060,7 +1065,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
+ ;regexten=1234 ; When they register, create extension 1234
+ ;callerid="Jane Smith" <5678>
+ ;host=dynamic ; This device needs to register
+-;nat=yes ; X-Lite is behind a NAT router
+ ;directmedia=no ; Typically set to NO if behind NAT
+ ;disallow=all
+ ;allow=gsm ; GSM consumes far less bandwidth than ulaw
+@@ -1131,9 +1135,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
+ ;type=friend
+ ;secret=blah
+ ;qualify=200 ; Qualify peer is no more than 200ms away
+-;nat=yes ; This phone may be natted
+- ; Send SIP and RTP to the IP address that packet is
+- ; received from instead of trusting SIP headers
+ ;host=dynamic ; This device registers with us
+ ;directmedia=no ; Asterisk by default tries to redirect the
+ ; RTP media stream (audio) to go directly from
+--
+1.7.7.3
+
Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Sat Dec 17 12:03:43 2011
@@ -42,3 +42,6 @@
chan_sip_hotfix_for_AST-2011-005-p2
fix_bridging_crash
+
+# Also used directly in debian/rules:
+AST-2011-013
Modified: asterisk/branches/squeeze/debian/rules
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/rules?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/rules (original)
+++ asterisk/branches/squeeze/debian/rules Sat Dec 17 12:03:43 2011
@@ -146,6 +146,11 @@
# create a simple config
echo "; please read the documentation regarding the Manager Interface (asterisk-doc package)" > \
$(CURDIR)/debian/asterisk-config/etc/asterisk/manager.d/README.conf
+ # Unapply the changes in AST-2011-013 to config file chan_sip.conf:
+ # (Changes left in the patch as we do want to keep the sample config
+ # files fixed)
+ filterdiff -i '*/configs/sip.conf.sample' $(CURDIR)/debian/patches/AST-2011-013 \
+ | patch -R $(CURDIR)/debian/asterisk-config/etc/asterisk/sip.conf
touch $@
binary: binary-indep binary-arch
More information about the Pkg-voip-commits
mailing list