Found a Dangerous Vulnerability in Asterisk that Allows Intercepting VoIP Traffic
A popular solution for the organization of IP telephony Asterisk found a vulnerability that allows to inject RTP packets into a conversation or listen to RTP traffic.
How it works
To exploit the vulnerability, the attacker needs to send an RTP packet to the server port, to which RTP stream is currently attached. If the server is vulnerable, it will respond with RTP stream packets destined for the subscriber who actually uses this port for conversation. This vulnerability does not require the attacker to be between the server and the subscriber. Although by name it resembles heart bleed, in reality, the vulnerability rather allows to conduct, just the same, MITM attack.
This is possible because of the operation of some RTP proxies. In the process of solving the “problems” associated with the delivery of RTP packets when using NAT, the proxy does not require any authentication to insert in its internal table information about the final IP address and port to which RTP replies should be sent so that they are delivered to the subscriber. RTP proxy “remembers” IP/Port pairs based on which IP/Port the proxy receives RTP packets from the subscriber.
Thus, in order to receive packets from a third-party subscriber, you only need to know the RTP port that is used by the subscriber and start sending RTP packets to it, thereby misleading the RTP proxy.
- Vulnerabilities are subject to version Asterisk from 11.4.0 to 14.6.1.
More details can be found on the official rtpbleed.com vulnerability website.
Instruments
To check if your systems are vulnerable to RTP Bleed, you can use the free rtpnatscan tool.
To install, you need to bend the repository and compile the utilities
git clone https://github.com/kapejod/rtpnatscan.git cd rtpnatscan make rtpnatscan make rtcpnatscan
Next, you need to make a call, check which ports are used for RTP, for example, through CLI Asterisk
asterisk -r rtp set debug on
Next, on a third-party machine, run the rtpnatscan scan and try to get RTP packets
./rtpnatscan server start_port final_port number of packets
To do this, you do not need to use any MITM techniques, like ARP spoofing. You just need to be able to send RTP packets to a vulnerable server and port.
- If the remote server sends RTP packets in response, then your configuration is vulnerable.
rtpnatscan is just a scanner and does not allow you to listen to the conversation.
In addition to the utility rtpnatscan, there is a paid tool, which has more opportunities.
How to protect yourself
- First of all, you need to check if your systems are vulnerable to RTP Bleed using the tool described above.
- There is an official patch for Asterisk, but it does not fully cover the vulnerability, so there is an additional patch that is also recommended.
- If it is not possible to install the patch, you do not need to set the nat = yes parameter in the Asterisk configuration, if this is possible in your case.
- It is also recommended to use voice traffic encryption so that even when intercepting RTP packets, the attacker does not gain access to confidential information.