Vigil@nce: Asterisk, denial of service via IAX2 POKE
July 2008 by Vigil@nce
An attacker can create a denial of service by sending several POKE
queries to an Asterisk server using the IAX2 protocol.
– Gravity: 2/4
– Consequences: denial of service of service
– Provenance: intranet client
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 23/07/2008
– Identifier: VIGILANCE-VUL-7965
IMPACTED PRODUCTS
– Fedora [confidential versions]
– Unix - plateform
DESCRIPTION
The IAX2 protocol can be used to check the connectivity with a
peer. If the session is active, a PING-PONG exchange is done, but
if there is no active session, the following exchange is used:
– the client sends a POKE query
– the server answers with a PONG packet containing a call number,
which is reserved
– the client sends an ACK packet containing this call number
However, an attacker can refuse to send the ACK packet. The
Asterisk server thus never frees the reserved call number.
An attacker can therefore send several POKE packets in order to
reserve all available call numbers.
A remote attacker can thus create a denial of service.
CHARACTERISTICS
– Identifiers: AST-2008-010, AST-2008-011, CVE-2008-3263,
FEDORA-2008-6676, VIGILANCE-VUL-7965
– Url: https://vigilance.aql.fr/tree/1/7965