Hey All, Many of you may have noticed the most recent security release for correcting a potential RTP hijacking vulnerability when strictrtp is enabled in conjunction with certain nat settings. In reality, it’s very challenging to get gain and plunder from the bug due to several mitigation strategies used in Asterisk (random rtp port selection and large default rtp port range).
Unfortunately after releasing the RTP security patch it was also determined that the RTCP stream had the same potential stream hijacking flaw. In addition, the security patch in question also made remote address training occur too quickly which has its own potential unintended consequences. It was frustrating that we missed these two malfunctions, and so in an effort to make sure that there are no other known holes, we put fixes for the two bugs up on gerrit and also took a look back at the RTP RFC to make sure that our RTP/RTCP stream qualification code doesn’t have any additional issues. We’d appreciate anybody that has any interest in this area to lend some more eyeballs to the reviews in question, as this is a case that lots of brains could help close these bugs up better. The reviews in question are: https://gerrit.asterisk.org/#/c/6443/ For the RTCP hijacking vulnerability, as well as some additional RTCP fixes. https://gerrit.asterisk.org/#/c/6410/ For the too rapid training bug, as well as any other RTP fixes that we could find. Your thoughts and attention would be much appreciated. -- Matthew Fredrickson Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev