JPCERT-AT-2010-0032
JPCERT/CC
2010-12-09 (First edition)
2010-12-15(Updated)
<<< JPCERT/CC Alert 09.12.10 >>>
Improperly setup Asterisk may be exploited for malicious purposes
https://www.jpcert.or.jp/at/2010/at100032.txt
I. Overview
JPCERT/CC has confirmed cases where Asterisk used with insufficient
security measures applied has resulted in unauthorized use such as
unintended international phone calls being made by a third party.
* Asterisk is an IP-PBX (Intenet Protocol Private Branch eXchange)
open source software that functions as an SIP server.
It is assumed that the attacker broadcasts SIP communication
5060/udp packets over the Internet, and performs brute-force attacks
on responding SIP servers in order to identify IDs and passwords
required to make calls on an IP phone. Subsequently, the attacker
uses the identified IDs and passwords to make unauthorized
international calls.
As a result, if security measures applied to the IP-PBX are
insufficient, an attacker could make unauthorized use of an operating
IP-PBX, which may result in being invoiced for international calls at
a later date.
It is assumed that the attacks are performed on any IP-PBX. However,
multiple cases have been confirmed where Asterisk users especially
have been billed large amounts for international calls.
The major cause is assumed to be that the applied security measures
were insufficient such as using sample passwords that are known to
the public or using easily guessable user names and passwords when
configuring Asterisk.
*** Update: Added on December 15, 2010 *******************************
II. Cases reported to JPCERT/CC
JPCERT/CC has received a report concerning a host that was
performing attacks on SIP servers.
The attack on the SIP server confirmed in the report involved the use
of exploit tools released on the Internet to perform dictionary
attacks in order to identify user (peer) names and passwords. The
dictionary used in the attack consisted mostly of numbers, words, and
people's names.
[Examples of character strings in the dictionary]
- Combinations of numbers from one digit up to twelve digits
* This includes the sample password "1234"
- Words and people's names
coffee, japan, key, account, admin, password, pass, sip, test,
voip, alice, bobby, michael , etc.
- Combinations of simple character strings and numbers
abcd123, pass1234, password1, pw1, passw0rd, etc.
If you have any information of similar attack cases or compromises,
please report using the following web form or via e-mail.
Web form: https://form.jpcert.or.jp/
e-mail: info@jpcert.or.jp
**********************************************************************
III. Solution
Consider the following measures in order to prevent unauthorized
external use of Asterisk. (This solution is written based on information
from VoIP Info.jp and material provide by NTT-CERT)
******* Solutions recommended by VoIP Info.jp and NTT-CERT from here *******
1) If not necessary, do not make Asterisk available over the Internet.
- Put Asterisk behind a gateway (routers, etc.) (do not connect
it directly to the Internet)
- Using firewall functions of the gateway, etc., block external
packets sent to Asterisk.
- If connections over the Internet to Asterisk is necessary, use
VPN connections.
2) Reject calls by guest users (number unconfigured).
- Unless there are special reasons to allow guest connections,
set allowguest=no in sip.conf (when allowguest is not specified,
calls by guest users will be allowed by default.)
3) Apply measures against brute-force attacks
- Set appropriate SIP user (peer) names and passwords for REGISTER
- Use long passwords. Combine upper and lower cases, numbers
and symbols to create passwords at least 8 characters long,
or if possible 14 or more characters long.
- Use long user names (extension numbers and SIP user names do
not need to be the same).
- Apply a filter based on port numbers and source IP addresses
- On the server where Asterisk is installed, use iptables etc.
to allow only those ports used for communication
- If permitted IP addresses are known, specify those IP addresses
- Provide access control using the configuration file of Asterisk
(exampe: sip.conf)
deny=0.0.0.0/0.0.0.0
permit=(call permitted address)/255.255.255.0
- Perform filtering using firewall functions of the gateway, etc.
- Configure externally connected routers and firewalls etc.
to allow only SIP/RTP traffic to Asterisk
- If permitted IP addresses are known, specify those IP addresses
- Use domain authentication
- Reject REGISTER requests from all domains except for the one specified.
(exampe: sip.conf)
domain=jpcert.or.jp
- Remove unnecessary (unused) users
- Change replies to non-existing users from 404 to 403
(exampe: sip.conf)
alwaysauthreject=yes
- Monitor the logs to detect brute-force attacks trying to
identify user names and passwords
(examples of log files when installed on a Linux system)
/var/log/asterisk/messages
/var/log/asterisk/cd-r-csv/Master.csv
4) Apply measures to prevent unauthorized out-going calls
- Change the external call prefix to special numbers
- Prohibit out-going calls unless a special prefix (number) is
added when making out-going calls
- Prohibit calls based on source extension number
- Divide extension numbers into those permitted to call outside
and those not (refer to Appendix 2)
- Restrict calls by destination
- If 010 (international call prefix), 00 (calls specifying a
relay telephone carrier) Restrict calls to specified external numbers
(refer to Appendix 3)
* Note that if international calls will not be made at all,
disabling international calls may be possible depending on your
telephone carrier. Consult your telephone carrier.
(For you information) Other recommended solutions
1) Do not launch Asterisk services with root permission
- Since the default installation launches with root permission,
configure Asterisk to launch services with general user
permission (example user name: asterisk)
2) Limit access to the administration interface if the administration
interface is used
- When using CLI functions after logging in from remote, use, for
example, SSH (public key authentication) and restrict access
using TCP Wrapper
- When using the administration interface (AMI), use manager.conf
to configure access restrictions
* Multiple versions of Asterisk exist. The configuration examples
introduced here have been confirmed using Asterisk 1.6.2.12-rc1.
Configurations may differ depending on the version used, so refer to
the product documentation or vendor information for details.
* Configuration examples of Appendix 1 - 3 are posted on the following
URL so please refer to them as well.
https://www.jpcert.or.jp/at/2010/at100032_sample.txt
****** End of solutions recommended by VoIP Info.jp and NTT-CERT *****
Note that, depending on your telecommunication carrier, applying the
solutions may disrupt connectivity. Therefore, consult your carrier as
necessary.
In addition to applying the solutions, JPCERT/CC recommends checking
the detailed phone bills for unauthorized use.
Furthermore, check whether your operating systems and software are up
to date, and update them if necessary. For those using other IP-PBX
systems, refer to the solutions and consider applicable security
measures.
IV. References
Japan Internet Providers Association
Regarding the alert concerning international calls made through
unauthorized use of IP phones
http://www.jaipa.or.jp/topics/?p=371
Telecommunications Carriers Association
[Attention] Look out for unknown international calls
http://www.tca.or.jp/topics/2010/1124_431.html
Asterisk SIP Security
http://voip-info.jp/index.php/Asterisk_SIP_%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3
Asterisk Security Advisories
http://www.asterisk.org/security
V. Acknowledgement
JPCERT/CC would like to thank the following for their cooperation
with regard to the solution information provided.
VoIP Info.jp (http://voip-info.jp/)
NTT-CERT (https://www.ntt-cert.org/)
If you have any further questions or information regarding this alert,
please contact JPCERT/CC.
________
Revision history
2010-12-09 First edition
2010-12-15 Added cases reported to JPCERT/CC
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top