Fix vulnerabilities in channels/chan_ia2x.c

Bug #345217 reported by Brian Thomason
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
asterisk (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Undecided
Brian Thomason
Intrepid
Fix Released
Undecided
Brian Thomason
Jaunty
Fix Released
Undecided
Brian Thomason
Karmic
Invalid
Undecided
Unassigned

Bug Description

There have been several CVE's pertaining to the ia2x implementation in asterisk:

CVE-2008-1897
CVE-2008-3263
CVE-2008-3264
CVE-2009-0041

Changed in asterisk (Ubuntu):
assignee: nobody → brian-thomason
status: New → In Progress
visibility: private → public
Revision history for this message
Brian Thomason (brian-thomason) wrote :

I have attached a debdiff for Hardy based on patches from upstream. I have tested as best I can with my limited knowledge of asterisk and IAX. I can connect and register with IAX clients and with VoixPhone, I can seem to connect to a channel. (the CLI for asterisk shows I am connected) However, while kiax will register, I am unable to call with it, but it could be due to my setup. (I've never configured asterisk before)

Any testing help would be appreciated as would anyone patient enough to tech me how to get a basic asterisk setup going.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff Brian!

Since you're asking for some more help in testing it, I'll set this bug as "Incomplete" for now. Once you're satisfied that it's been tested adequately, please mark it as "In Progress" again so our notification scripts will pick it up and we'll build and release it.

Thanks.

Changed in asterisk:
status: In Progress → Incomplete
Revision history for this message
Brian Thomason (brian-thomason) wrote :

Thanks to some help from Jamie, I am able to successfully register IAX clients and make calls with them. This patch should be ready for release.

Changed in asterisk (Ubuntu):
status: Incomplete → Fix Committed
Changed in asterisk (Ubuntu Jaunty):
status: New → Fix Released
Changed in asterisk (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in asterisk (Ubuntu Intrepid):
status: New → Triaged
assignee: nobody → Brian Thomason (brian-thomason)
Changed in asterisk (Ubuntu Hardy):
status: New → In Progress
assignee: nobody → Brian Thomason (brian-thomason)
Changed in asterisk (Ubuntu Karmic):
assignee: brian-thomason → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your debdiff Brian! :) Here are some comments:

1. You have supplied two patches for CVE-2008-1897 (debian/patches/CVE-2008-1897 and debian/patches/asterisk-CVE-2008-1897). Please remove asterisk-CVE-2008-1897
2. CVE-2008-1897 seems to be missing parts of upstream's http://downloads.digium.com/pub/security/AST-2008-006.html (http://downloads.digium.com/pub/security/AST-2008-006.html). Was the patch misapplied? If not, can you explain why it isn't applied?
3. The debian/changelog description does not conform to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging. These guidelines are in place for clarity, so someone knows quickly what patch goes with which CVE and upstream references. Can you adjust so each patch has its own stanza?
4. The package uses quilt, which supports comments at the top of the patch. Specifically, the added patches in debian/patches should use UbuntuDevelopment/PatchTaggingGuidelines (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch)
5. Our tracker (see http://people.ubuntu.com/~ubuntu-security/cve/universe.html#universe) shows that hardy asterisk is also vulnerable to CVE-2008-3903, CVE-2008-1923, CVE-2009-0871 and CVE-2008-1390. Were you planning to do updates for these as well?

I have marked the Hardy task back to 'Triaged' as per https://wiki.ubuntu.com/SecurityTeam/BugTriage#Status. Please mark back to 'In Progress' when resubmitting your patch. Thanks for your time in preparing these. Asterisk needs some love! :)

Changed in asterisk (Ubuntu Hardy):
status: In Progress → Triaged
Revision history for this message
Brian Thomason (brian-thomason) wrote : Re: [Bug 345217] Re: Fix vulnerabilities in channels/chan_ia2x.c

Thanks Jamie,

On Tue, Apr 28, 2009 at 5:29 PM, Jamie Strandboge <email address hidden> wrote:

> Thanks for your debdiff Brian! :) Here are some comments:
>
> 1. You have supplied two patches for CVE-2008-1897
> (debian/patches/CVE-2008-1897 and debian/patches/asterisk-CVE-2008-1897).
> Please remove asterisk-CVE-2008-1897

Bah! I didn't even see that, sorry. That was left over from some earlier
quilt tinkering. Will remove it straight away.

>
> 2. CVE-2008-1897 seems to be missing parts of upstream's
> http://downloads.digium.com/pub/security/AST-2008-006.html (
> http://downloads.digium.com/pub/security/AST-2008-006.html). Was the patch
> misapplied? If not, can you explain why it isn't applied?

It's been so long I'm not sure. I'll do this one from scratch again.

>
> 3. The debian/changelog description does not conform to
> https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging.
> These guidelines are in place for clarity, so someone knows quickly what
> patch goes with which CVE and upstream references. Can you adjust so each
> patch has its own stanza?

OK

>
> 4. The package uses quilt, which supports comments at the top of the patch.
> Specifically, the added patches in debian/patches should use
> UbuntuDevelopment/PatchTaggingGuidelines (see
> https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch)

OK

>
> 5. Our tracker (see
> http://people.ubuntu.com/~ubuntu-security/cve/universe.html#universe<http://people.ubuntu.com/%7Eubuntu-security/cve/universe.html#universe>)
> shows that hardy asterisk is also vulnerable to CVE-2008-3903,
> CVE-2008-1923, CVE-2009-0871 and CVE-2008-1390. Were you planning to do
> updates for these as well?
>

Off the top of my head, one of these upstream hadn't fixed at the time, a
couple were basically duplicates, and I don't recall the other off the top
of my head. Before resubmitting the debdiff, I'll also look these up again
and comment in the bug. Yes, if they need attention, I fully plan on
handling them as well.

I'll also resubmit with the intrepid patch next time.

Thanks as always for your patience as I get accustomed to these processes
Jamie!

-Brian

Revision history for this message
Brian Thomason (brian-thomason) wrote :

Here is an updated debdiff for hardy. The missing section from the upstream patch in CVE-2008-1897 was irrelevant as it had been fixed for a different reason by a prior patch.

Changed in asterisk (Ubuntu Hardy):
status: Triaged → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi Brian,

Thanks for the updated debdiff. Patch for CVE-2008-1897 looks good, as does the changelog and patch tagging.

Would it be possible to apply patched for the following two issues:

CVE-2008-1390 (http://downloads.asterisk.org/pub/security/AST-2008-005.html)
CVE-2008-3903 (http://downloads.asterisk.org/pub/security/AST-2009-003.html)

The other issues don't seem to apply to hardy.

Thanks!

Changed in asterisk (Ubuntu Hardy):
status: In Progress → Incomplete
status: Incomplete → Triaged
Revision history for this message
Brian Thomason (brian-thomason) wrote :

Added fixes for:

CVE-2008-1390 (http://downloads.asterisk.org/pub/security/AST-2008-005.html)
CVE-2008-3903 (http://downloads.asterisk.org/pub/security/AST-2009-003.html)

I tested that it built properly but have not done any thorough testing yet. Any help in the way of testing would be greatly appreciated as the chan_sip.c file was modified.

Changed in asterisk (Ubuntu Hardy):
status: Triaged → In Progress
Revision history for this message
Kees Cook (kees) wrote :

This looks good. I would recommend using a SIP provider like Ekiga.net to test SIP functionality. Once you're satisfied that these changes are solid, we can publish them.

Changed in asterisk (Ubuntu Hardy):
status: In Progress → Incomplete
Revision history for this message
Brian Thomason (brian-thomason) wrote :

I tested this locally, calling up voicemail using SIP, and it worked fine. I don't really have a setup for making a call from softphone to softphone though. If anyone else would like to test this, please do, otherwise, I think it's good enough to hit proposed.

Changed in asterisk (Ubuntu Hardy):
status: Incomplete → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, we don't go through -proposed for security updates. I will build this and test locally. Marking 'In Progress' per https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing%20an%20update

Changed in asterisk (Ubuntu Hardy):
status: Fix Committed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded to security ppa. Will test/push to the archive when it finishes building. Thanks for the hard work Brian!

Changed in asterisk (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I tested this from a sip phone through asterisk to IAX provider in both directions and it works fine.

Revision history for this message
Brian Thomason (brian-thomason) wrote :

Thanks Jamie! I hadn't thought about that possibility.

-Brian

On Fri, Sep 25, 2009 at 4:34 PM, Jamie Strandboge <email address hidden> wrote:

> I tested this from a sip phone through asterisk to IAX provider in both
> directions and it works fine.
>
> --
> Fix vulnerabilities in channels/chan_ia2x.c
> https://bugs.launchpad.net/bugs/345217
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

asterisk (1:1.4.17~dfsg-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: ACK response spoofing
    - added debian/patches/CVE-2008-1897: Adjust chan_iax2.c to use a special
      id to prevent ACK response spoofing. Based on upstream patch.
    - CVE-2008-1897
    - AST-2008-006
  * SECURITY UPDATE: POKE request flooding
    - added debian/patches/CVE-2008-3263: Adjust chan_iax2.c to prevent
      'POKE' request flooding. Based on upstream patch.
    - CVE-2008-3263
    - AST-2008-010
  * SECURITY UPDATE: firmware packet flooding
    - added debian/patches/CVE-2008-3264: Adjust chan_iax2.c to prevent
      firmware packet flooding. Based on upstream patch.
    - CVE-2008-3264
    - AST-2008-011
  * SECURITY UPDATE: information leak in IAX2 authentication
    - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
      information leak in IAX2 authentication. Based on upstream patch.
    - CVE-2009-0041
    - AST-2009-001
  * SECURITY UPDATE: SIP responses expose valid usernames
    - added debian/patches/CVE-2008-3903: Adjust chan_sip.c to make
      it more difficult to scan for available usernames.
    - CVE-2008-3903
    - AST-2009-003
  * SECURITY UPDATE: An attacker could hijack a manager session
    - added debian/patches/CVE-2008-1390: Adjust manager.c to
      never assign an invalid id of 0
    - CVE-2008-1390
    - AST-2008-005

Changed in asterisk (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Thomason (brian-thomason) wrote :

debdiff for Jaunty

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking the Jaunty task back to 'In Progress' (per https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing%20an%20update) since CVE-2009-0041 was not fixed.

Changed in asterisk (Ubuntu Jaunty):
status: Fix Released → In Progress
Revision history for this message
Brian Thomason (brian-thomason) wrote :

Debdiff for Intrepid

Changed in asterisk (Ubuntu Intrepid):
status: Triaged → In Progress
Revision history for this message
Brian Thomason (brian-thomason) wrote :

Setting karmic status to invalid as none of these effect the version there.

Changed in asterisk (Ubuntu Karmic):
status: Fix Released → Invalid
Revision history for this message
Kees Cook (kees) wrote :

Looks good. It sounds like you tested on Hardy -- did Intrepid and Jaunty get tested as well? I'll get these ready for uploading.

Changed in asterisk (Ubuntu Jaunty):
assignee: nobody → Brian Thomason (brian-thomason)
Kees Cook (kees)
Changed in asterisk (Ubuntu Intrepid):
status: In Progress → Fix Committed
Changed in asterisk (Ubuntu Jaunty):
status: In Progress → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :

Any progress on testing these changes?

Revision history for this message
Brian Thomason (brian-thomason) wrote :

Hi Kees,

I tested it out today and am successfully able to make calls from different PC's (and different IAX clients) to the echo channel. I am unable to properly make two clients connect to one another. I had seemingly accomplished this on Hardy by running two copies of VoixPhone on the same machine running as different users, but the later versions of VoixPhone only support one running instance.

I tested on the unpatched asterisk from universe, and received the same behavior, so I doubt my ability to connect two clients has anything to do with my patch but rather with user error due to my ignorance of IAX.

It would be nice if someone else could give this a quick test before pushing it out into the wild.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

asterisk (1:1.4.21.2~dfsg-1ubuntu3.1) intrepid-security; urgency=low

  * SECURITY UPDATE: information leak in IAX2 authentication
    - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
      information leak in IAX2 authentication. Based on upstream patch.
    - CVE-2009-0041
    - AST-2009-001

Changed in asterisk (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

asterisk (1:1.4.21.2~dfsg-3ubuntu2.1) jaunty-security; urgency=low

  * SECURITY UPDATE: information leak in IAX2 authentication
    - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
      information leak in IAX2 authentication. Based on upstream patch.
    - CVE-2009-0041
    - AST-2009-001

Changed in asterisk (Ubuntu Jaunty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.