Miscellaneous Potential Security Weaknesses

There are several Asterisk configuration or operational behaviors that affect security when default settings are used.

Attack IAX Channels Pass Media over the Same Port as Signaling

Popularity:

6

Simplicity:

6

Impact:

8

Risk Rating:

7

IAX channels pass signaling and media over a single port. While this is advantageous for internetworking in the presence of NATs, it makes it easier for a non-MITM attacker to interfere with both signaling and media streams. A blind attack across 10,000 RTP ports would have much less probability of success.

Countermeasurs Use a Firewall to Protect the IAX Ports

You can program a firewall to protect access to the Asterisk IP PBX. This will help prevent attackers from accessing or attacking open ports.

In addition to a traditional firewall, you can deploy application-layer or VoIP firewalls. VoIP firewalls are available from several vendors , including SecureLogix (http://www.securelogix.com), Sipera (http://www.sipera.com), Borderware (http://www.borderware.com), and Ingate (http://www.ingate.com). Some traditional firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) also provide support for VoIP. Note, however, that at this time, none of these products provides in-depth analysis of IAX signaling to detect attacks.

Attack Passwords and Authentication Information Are Not Encrypted

Popularity:

6

Simplicity:

7

Impact:

8

Risk Rating:

7

The passwords stored within *.conf files are not required to be encrypted. However, passwords in the sip.conf file may be encrypted.

The Asterisk Manager interface is an API that allows external applications to communicate with Asterisk, similar to commands used in the Asterisk console. Unfortunately, the Asterisk Manager interface uses plaintext passwords. Also, all connected terminals receive all events.

The passwords with the AstDB don't have to be encrypted, nor is there a native application (meaning an application delivered with the open-source version) to store and encrypt passwords and retrieve and decrypt them before use in authentication applications. However, the developers of Asterisk would be quick to point out that anyone could submit a contribution to the open-source project to implement that level of security.

IAX does not require authentication to be used between endpoints. An option to use plaintext-based authentication exists, but is not secure.

Countermeasurs Encrypt Passwords and Use Secure Authentication Means

If you do not wish to have plaintext secrets in your sip.conf files, you can use md5secret to configure the MD5 hash that can be used for authentication. To generate the MD5 hash from the Linux console, use the following command:

 # echo n "username:realm:secret"  md5sum 

Be sure to use the n flag, or echo will add a \n to the end of the string; the line feed will then be calculated into the MD5 hash, creating the incorrect hash. The realm, if not specified with the realm option, defaults to Asterisk. If both an md5secret and a secret are specified in the same channel definition, the secret will be ignored.

 md5secret=0bcbe762982374c276fb01af6d272dca 

The Asterisk Manager interface should only be used on the trusted LAN or locally on the same system running Asterisk.

IAX provides authentication support to enable security between endpoints. This does not involve encryption, but can be used to more carefully control who can make connections to Asterisk. There are three levels of authentication, controlled by the auth channel option:

  • Plaintext   Offers very little security. This will prevent connection to the channel unless a valid password is supplied. However, the password is both stored in iax.conf in plaintext and is transmitted as plaintext.

  • MD5   Provides improved security. However, the secret is stored as plaintext in the iax.conf file.

  • RSA   Provides the best security. Before using RSA, each endpoint must create a public and private key pair through the astgenkey script, typically located in /usr/src/asterisk/ contrib /scripts/ . The public key must then be given to the far end. Each end of the circuit must include the public key of the far end in its channel definition, using the inkeys and outkey parameters. RSA keys are stored in /var/lib/asterisk/keys/ . Public keys are named name .pub; private keys are named name .key . Private keys must be encrypted with 3DES.

Nonsecure Registration

Popularity:

5

Simplicity:

4

Impact:

6

Risk Rating:

5

Encrypting communications between Asterisk servers is suggested, but not required. Therefore, it is possible to hijack Asterisk registrations in a similar manner to hijacking SIP registrations. A register statement is a means of informing a remote peer where your Asterisk system is located. Asterisk uses register statements to authenticate with remove providers when dynamic IP addresses are used or the addresses are not stored.

Countermeasurs Secure Communications Between Asterisk IP PBXs

The best countermeasure for attacking the registration process is to use encryption and authentication (through, for example, a VPN) between Asterisk IP PBXs.

Attack webvmail

Popularity:

4

Simplicity:

5

Impact:

5

Risk Rating:

5

The Asterisk Web Voicemail script provides a Graphical User Interface (GUI) to a user 's voicemail account. If you choose to employ the Asterisk Web Voicemail script, be aware that it requires root privileges. When you use the make webvmail command, the Asterisk Web Voicemail script will be placed into the cgi-bin/ of the HTTP daemon. This is a setuid root Perl script.

Countermeasurs webvmail Countermeasure

While there really isn't a countermeasure for this, it is something for the administrator to be aware of.

Attack DialplanToll Fraud

Popularity:

4

Simplicity:

5

Impact:

5

Risk Rating:

5

If an inbound context allows outbound dialing, then an attacker could dial in and make outbound toll calls.

Countermeasurs Don't Allow Inbound Contexts to Allow Outbound Calling

Contexts can be used to enforce security. Contexts can also be used to give certain callers access to features that are not available to others. You definitely don't want to allow an inbound caller to be able to dial outbound calls to toll numbers .



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net