Recently, ISS posted a report about a Denial of Service vulnerability in Asterisk's IAX2 implementation. This vulnerability exists in all existing IAX2 implementations that accept incoming calls (not just Asterisk), and relates to the amount of time that a pending (but not yet authenticated) call is allowed to exist in memory on the server.
In response to this report, we recently released Asterisk 1.2.10, which provides a configuration option that the administrator can use to combat this activity. This option is called 'maxauthreq' and is available at the global level and for type=user entries in iax.conf (it is not needed for type=peer entries, since peers cannot place calls into the Asterisk server). Since this is a release branch of Asterisk, we were not comfortable changing the default behavior, so this new option defaults to zero, which means there is no limit in place. We urge all users with Asterisk servers connected to public (or otherwise uncontrolled) networks to upgrade to Asterisk 1.2.10 and set this configuration option to a reasonable value; for most IAX2 user accounts a value of three will be more than adequate. If the user attempts to place more calls than are allowed with providing authentication information for some of them, the additional requests will be denied without requesting authentication information and without preserving the call information in memory for the normal period of time. In the Asterisk 1.4 release which will be coming soon, this option will default to three for all installations, and the administrator will need to override it to allow more simultaneous unauthenticated calls. We want to thank ISS for bringing this vulnerability to our attention and allowing us to work on (and release) a fix/workaround prior to public announcement of the vulnerability. -- Kevin P. Fleming Senior Software Engineer Digium, Inc. _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
