[Pkg-voip-commits] r9409 - in /asterisk/branches/squeeze/debian: README.Debian changelog control patches/AST-2011-013 patches/series rules

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Sat Dec 17 12:03:43 UTC 2011


Author: tzafrir
Date: Sat Dec 17 12:03:43 2011
New Revision: 9409

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9409
Log:
* Patch AST-2011-013: potential remote information disclosure
  Closes: #651552 (CVE-2011-4597 The side issue. The DoS is
  inapplicable to Lenny).
  - The patch changeges the sample sip.conf . We change the sample
     config files, but not the files under /etc/asterisk .

Added:
    asterisk/branches/squeeze/debian/patches/AST-2011-013
Modified:
    asterisk/branches/squeeze/debian/README.Debian
    asterisk/branches/squeeze/debian/changelog
    asterisk/branches/squeeze/debian/control
    asterisk/branches/squeeze/debian/patches/series
    asterisk/branches/squeeze/debian/rules

Modified: asterisk/branches/squeeze/debian/README.Debian
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/README.Debian?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/README.Debian (original)
+++ asterisk/branches/squeeze/debian/README.Debian Sat Dec 17 12:03:43 2011
@@ -192,4 +192,47 @@
 live/asterisk is a wrapper to that private copy of Asterisk.
 
 
+Nat=yes by Default
+==================
+Short version:
+As of version 1:1.6.2.9-2+squeeze4 (upstream 1.6.2.21), the default has
+changged from "nat=no" to "nat=yes" in sip.conf. Chances are this is
+the right setting for you, so just leave it. If you have different
+configuration between peer/user settings and the global ones, you'll get
+a warning. So just leave the defaults (nat=yes).
+
+Long version:
+This change is due to AST-2011-013 (CVE-2011-4597). A SIP client (UAC)
+contacts Asterisk acting as a SIP server (UAS). Asterisk needs to know
+where to send the response to. Originally Asterisk has followed the
+recommendations in RFC 3261, Asterisk sends the response to using the
+port number specified in the message. This tends to break when NAT is
+involved, and hence the option "rport" was added in RFC3581: just send
+it to the port number you recieved it from. This is really the sane
+thing to do.
+
+Forcing the usage of rport is probably the wise thing to do in just
+about any case. Rumour has it that some Cisco phones will break if it
+is used. More importantly, forcing it may break RFC3261 compliance, if
+you need it. But apart from that, there's really no reason for you to
+use it.
+
+Many SIP clients just added the rport option to their requests. But
+others didn't. Asterisk has added a configuration option "nat" to force
+using rport ("nat=yes". This also sets a few other things). Later
+versions of Asterisk have added 'nat=force_rport' that only forces rport.
+
+The problem is that the option has to be applied even before the remote
+client is fully authenticated: if the configuration differs between
+different peers / users, Asterisk will have to rely on the
+information in the initial request packet in order to know which user /
+peer this is and send the response to the right port number (originating
+or the one specified in the request).
+
+Thus in the worst case where the global settings are not set but it is set
+for each peer, a remote attacker can test if a user exists by creating
+a request (e.g. INVITE) with port set to $port1 and origignating from
+$port2. If the response goes to $port2, the user exists.
+
+
 Enjoy your PBX!

Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Sat Dec 17 12:03:43 2011
@@ -6,6 +6,11 @@
   [ Tzafrir Cohen ]
   * Patch fix_bridging_crash: segfault in bridging API (Closes: #639821).
   * README.Debian: clarify datadir pathes (regarding #628415).
+  * Patch AST-2011-013: potential remote information disclosure
+    Closes: #651552 (CVE-2011-4597 The side issue. The DoS is
+    inapplicable to Lenny).
+    - The patch changeges the sample sip.conf . We change the sample
+       config files, but not the files under /etc/asterisk .
 
  -- Tzafrir Cohen <tzafrir at debian.org>  Wed, 28 Sep 2011 13:20:18 +0300
 

Modified: asterisk/branches/squeeze/debian/control
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/control?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/control (original)
+++ asterisk/branches/squeeze/debian/control Sat Dec 17 12:03:43 2011
@@ -42,6 +42,7 @@
  libopenr2-dev,
  libresample1-dev,
  libopenais-dev,
+ patchutils,
  zlib1g-dev
 Standards-Version: 3.9.0
 Homepage: http://www.asterisk.org/

Added: asterisk/branches/squeeze/debian/patches/AST-2011-013
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-013?rev=9409&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-013 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-013 Sat Dec 17 12:03:43 2011
@@ -1,0 +1,183 @@
+Author: Terry Wilson <twilson at digium.com>
+Date: Mon, 21 Nov 2011 20:23:55 +0000
+Subject: Default to nat=yes; warn when nat in general and peer differ
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-18862
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=345800
+
+It is possible to enumerate SIP usernames when the general and user/peer
+nat settings differ in whether to respond to the port a request is sent
+from or the port listed for responses in the Via header. In 1.4 and 1.6.2,
+this would mean if one setting was nat=yes or nat=route and the other was
+either nat=no or nat=never. In 1.8 and 10, this would mean when one was
+nat=force_rport and the other was nat=no.
+
+In order to address this problem, it was decided to switch the default
+behavior to nat=yes/force_rport as it is the most commonly used option
+and to strongly discourage setting nat per-peer/user when at all possible.
+
+For more discussion of the issue, please see:
+  http://lists.digium.com/pipermail/asterisk-dev/2011-November/052191.html
+
+Review: https://reviewboard.asterisk.org/r/1591/
+
+---
+ CHANGES                 |   12 ++++++++++++
+ channels/chan_sip.c     |   37 +++++++++++++++++++++++++------------
+ configs/sip.conf.sample |   17 +++++++++--------
+ 3 files changed, 46 insertions(+), 20 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index f200a60..63ed23b 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -9,6 +9,18 @@
+ ======================================================================
+ 
+ ------------------------------------------------------------------------------
++--- Functionality changes since Asterisk 1.6.2.20                -------------
++------------------------------------------------------------------------------
++
++SIP Changes
++-----------
++    * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
++      now defaults to yes. It is very important that phones requiring nat=no be
++      specifically set as such instead of relying on the default setting. If at all
++      possible, all devices should have nat settings configured in the general section as
++      opposed to configuring nat per-device.
++
++------------------------------------------------------------------------------
+ --- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2  -------------
+ ------------------------------------------------------------------------------
+ 
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 328643e..a9a5085 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -24164,15 +24164,14 @@ static int handle_common_options(struct ast_flags *flags, struct ast_flags *mask
+ 		}
+ 	} else if (!strcasecmp(v->name, "nat")) {
+ 		ast_set_flag(&mask[0], SIP_NAT);
+-		ast_clear_flag(&flags[0], SIP_NAT);
+-		if (!strcasecmp(v->value, "never"))
+-			ast_set_flag(&flags[0], SIP_NAT_NEVER);
+-		else if (!strcasecmp(v->value, "route"))
+-			ast_set_flag(&flags[0], SIP_NAT_ROUTE);
+-		else if (ast_true(v->value))
+-			ast_set_flag(&flags[0], SIP_NAT_ALWAYS);
+-		else
+-			ast_set_flag(&flags[0], SIP_NAT_RFC3581);
++		ast_set_flag(&flags[0], SIP_NAT_ALWAYS);
++		if (!strcasecmp(v->value, "never")) {
++			ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_NEVER);
++		} else if (!strcasecmp(v->value, "route")) {
++			ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_ROUTE);
++		} else if (ast_false(v->value)) {
++			ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_RFC3581);
++		}
+ 	} else if (!strcasecmp(v->name, "directmedia") || !strcasecmp(v->name, "canreinvite")) {
+ 		ast_set_flag(&mask[0], SIP_REINVITE);
+ 		ast_clear_flag(&flags[0], SIP_REINVITE);
+@@ -25124,6 +25123,15 @@ static int peer_markall_func(void *device, void *arg, int flags)
+ 	return 0;
+ }
+ 
++static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
++	int global_nat, specific_nat;
++
++	if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT))) {
++		ast_log(LOG_WARNING, "sip.conf: Different 'nat' settings between [general] and section %s. See /usr/share/doc/asterisk/README.Debian.gz (global='%s' peer/user='%s')\n",
++				cat, nat2str(global_nat), nat2str(specific_nat));
++	}
++}
++
+ /*! \brief Re-read SIP.conf config file
+ \note	This function reloads all config data, except for
+ 	active peers (with registrations). They will only
+@@ -25338,9 +25349,10 @@ static int reload_config(enum channelreloadreason reason)
+ 	ast_copy_string(default_mohinterpret, DEFAULT_MOHINTERPRET, sizeof(default_mohinterpret));
+ 	ast_copy_string(default_mohsuggest, DEFAULT_MOHSUGGEST, sizeof(default_mohsuggest));
+ 	ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten));
+-	ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833);			/*!< Default DTMF setting: RFC2833 */
+-	ast_set_flag(&global_flags[0], SIP_NAT_RFC3581);			/*!< NAT support if requested by device with rport */
+-	ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA);			/*!< Allow re-invites */
++	ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
++	ast_set_flag(&global_flags[0], SIP_NAT_RFC3581);  /*!< NAT support if requested by device with rport */
++	ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */
++	ast_set_flag(&global_flags[0], SIP_NAT_ALWAYS);   /*!< Default to nat=yes */
+ 
+ 	/* Debugging settings, always default to off */
+ 	dumphistory = FALSE;
+@@ -25993,6 +26005,7 @@ static int reload_config(enum channelreloadreason reason)
+ 			}
+ 			peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0);
+ 			if (peer) {
++				display_nat_warning(cat, reason, &peer->flags[0]);
+ 				ao2_t_link(peers, peer, "link peer into peers table");
+ 				if ((peer->type & SIP_TYPE_PEER) && peer->addr.sin_addr.s_addr) {
+ 					ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table");
+diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample
+index 1eafdb6..e9abacc 100644
+--- a/configs/sip.conf.sample
++++ b/configs/sip.conf.sample
+@@ -660,10 +660,18 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
+ ; The following settings are allowed (both globally and in individual sections):
+ ;
+ ;        nat = no                ; default. Use NAT mode only according to RFC3581 (;rport)
+-;        nat = yes               ; Always ignore info and assume NAT
++;        nat = yes               ; Always ignore info and assume NAT (default)
+ ;        nat = never             ; Never attempt NAT mode or RFC3581 support
+ ;        nat = route             ; route = Assume NAT, don't send rport 
+ ;                                ; (work around more UNIDEN bugs)
++;
++; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
++; the nat setting in a peer definition, then the peer username will be discoverable
++; by outside parties as Asterisk will respond to different ports for defined and
++; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
++; GENERAL SECTION. Specifically, if nat=route or nat=yes in one section and nat=no or
++; nat=never in the other, then valid users with settings differing from those in the
++; general section will be discoverable.
+ 
+ ;----------------------------------- MEDIA HANDLING --------------------------------
+ ; By default, Asterisk tries to re-invite media streams to an optimal path. If there's
+@@ -990,12 +998,10 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
+         type=friend
+ 
+ [natted-phone](!,basic-options)   ; another template inheriting basic-options
+-        nat=yes
+         directmedia=no
+         host=dynamic
+ 
+ [public-phone](!,basic-options)   ; another template inheriting basic-options
+-        nat=no
+         directmedia=yes
+ 
+ [my-codecs](!)                    ; a template for my preferred codecs
+@@ -1030,7 +1036,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
+                                  ; on incoming calls to Asterisk
+ ;host=192.168.0.23               ; we have a static but private IP address
+                                  ; No registration allowed
+-;nat=no                          ; there is not NAT between phone and Asterisk
+ ;directmedia=yes                 ; allow RTP voice traffic to bypass Asterisk
+ ;dtmfmode=info                   ; either RFC2833 or INFO for the BudgeTone
+ ;call-limit=1                    ; permit only 1 outgoing call and 1 incoming call at a time
+@@ -1060,7 +1065,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
+ ;regexten=1234                   ; When they register, create extension 1234
+ ;callerid="Jane Smith" <5678>
+ ;host=dynamic                    ; This device needs to register
+-;nat=yes                         ; X-Lite is behind a NAT router
+ ;directmedia=no                  ; Typically set to NO if behind NAT
+ ;disallow=all
+ ;allow=gsm                       ; GSM consumes far less bandwidth than ulaw
+@@ -1131,9 +1135,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
+ ;type=friend
+ ;secret=blah
+ ;qualify=200                     ; Qualify peer is no more than 200ms away
+-;nat=yes                         ; This phone may be natted
+-                                 ; Send SIP and RTP to the IP address that packet is 
+-                                 ; received from instead of trusting SIP headers 
+ ;host=dynamic                    ; This device registers with us
+ ;directmedia=no                  ; Asterisk by default tries to redirect the
+                                  ; RTP media stream (audio) to go directly from
+-- 
+1.7.7.3
+

Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Sat Dec 17 12:03:43 2011
@@ -42,3 +42,6 @@
 chan_sip_hotfix_for_AST-2011-005-p2
 
 fix_bridging_crash
+
+# Also used directly in debian/rules:
+AST-2011-013

Modified: asterisk/branches/squeeze/debian/rules
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/rules?rev=9409&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/rules (original)
+++ asterisk/branches/squeeze/debian/rules Sat Dec 17 12:03:43 2011
@@ -146,6 +146,11 @@
 	# create a simple config
 	echo "; please read the documentation regarding the Manager Interface (asterisk-doc package)" > \
 		$(CURDIR)/debian/asterisk-config/etc/asterisk/manager.d/README.conf
+	# Unapply the changes in AST-2011-013 to config file chan_sip.conf:
+	# (Changes left in the patch as we do want to keep the sample config
+	# files fixed)
+	filterdiff -i '*/configs/sip.conf.sample' $(CURDIR)/debian/patches/AST-2011-013 \
+		| patch -R $(CURDIR)/debian/asterisk-config/etc/asterisk/sip.conf
 	touch $@
 
 binary: binary-indep binary-arch




More information about the Pkg-voip-commits mailing list