Barry Flanagan
2013-Feb-11 13:21 UTC
[asterisk-users] Possible Security issue with Kamailio - Asterisk Realtime integration
Hi I have an installation based on Daniel-Constantin Mierla's excellent Kamailio 3.3 / Asterisk 10 Realtime document ( http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb) but have come across an issue which is a potential problem. In this installation all SIP clients register with Kamailio, and the registrations are forwarded to Asterisk. This means that all registered clients (stored in sipregs table) have the same IP address and Port: that of the Kamailio server. The "secret" which Asterisk reads is empty to avoid Asterisk issuing a challenge. I have discovered that if a client successfully registers with Kamailio, but for whatever reason this user is not in the database Asterisk is accessing - say for example if two MySQL slaves are out of sync - and then sends an INVITE, Asterisk ends up picking the first user in sipregs which shares the same IP and Port as the incoming request and treats this as the Caller. Of course in our scenario there will be many of these because all clients are registered from Kamailio's IP/Port. For example, here is the sequence of database queries Asterisk performs when a client with a From of 101864 attempts to make a call: SELECT * FROM ast_sipusers WHERE name = '101864' AND host = 'dynamic' SELECT * FROM ast_sipusers WHERE name = '101864' SELECT * FROM ast_sipusers WHERE host = '10.5.76.67' AND port = '5060' AND callbackextension = '014373500' OK, the above are fine. Asterisk looks for a user, and a callback exten. SELECT * FROM ast_sipusers WHERE host = '10.5.76.67' AND port = '5060' Now Asterisk looks for a peer. Still OK. SELECT * FROM ast_sipregs WHERE ipaddr = '10.5.76.67' AND port = '5060' Here Asterisk is checking sipregs for ANY entry with the IP and Port of Kamailio. In this case it finds the first such user, 485833 SELECT * FROM ast_sipusers WHERE name = '485833' Now Asterisk treats this call as if it was coming from 485833, which is totally wrong and very bad. Does anyone know what I would need to do in order to ensure that Asterisk rejects the call attempt if it does not find an exact username match? Thanks -Barry Flanagan -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130211/9cf83033/attachment.htm>
Possibly Parallel Threads
- R: new way of asterisk and kamailio(openser) realtime integration
- new way of asterisk and kamailio (openser) realtime integration
- Asterisk 11.3 and Kamailio 4.0 Realtime Integration Tutorial
- asterisk realtime database structure
- Social Networking Event * Berlin Nov 12