Bug #6632
closedsiproxd hosts_allow_reg should be configurable
0%
Description
siproxd is providing a configuration option "hosts_allow_reg" which
implements a positive access control list for hosts allowed
to SIP REGISTER.
If this option is not set, and the SIP port 5060 is wide open at
the firewall, anyone is able to send fake SIP REGISTER requests
to siproxd.
Issues:
1) this may lead to a DoS attack because the size of the list of
registrations is surely bound to some limit. This situation is aggravated
by the fact that registrations remain active even if the upstream SIP
server has rejected the request.
2) specially crafted SIP REGISTER requests might be used to discover
the internal topology of the network behind the firewall.
A packet sent to siproxd over the WAN interface:
-- begin of packet --
REGISTER sip:some.sip-provider.com SIP/2.0
Via: SIP/2.0/UDP 192.168.0.169:5060
...
--- end of packet ---
is causing this error message in siproxd:
22:30:27 ERROR:sock.c:445 sendto() [192.168.0.169:5060 size=730] call failed: Host is down
This means that siproxd is actually trying to connect to 192.168.0.169 (the faked
IP from the Via-Header). This could be misused for various replay attacks as well.
To cut a long story short: we need a (preferably mandatory and preset to the
LAN's network) GUI setting for "hosts_allow_reg".
Updated by Chris Buechler over 7 years ago
- Subject changed from Insecure default configuration to siproxd hosts_allow_reg should be configurable
- Status changed from New to Confirmed
- Private changed from Yes to No
- Affected Version changed from 2.3.1 to All
if you open siproxd on WAN in firewall rules, you get what you're asking for security-wise. No shortage of potential problems inherent in that. That said, hosts_allow_reg should be configurable, maybe even required to be configured.
Updated by Kill Bill over 7 years ago
Chris Buechler wrote:
if you open siproxd on WAN in firewall rules, you get what you're asking for security-wise. No shortage of potential problems inherent in that. That said, hosts_allow_reg should be configurable, maybe even required to be configured.
The package has firewall hooks to configure the rules automatically. IMNSHO this should simply hide WAN from the Inbound Interface list (plus people shouldn't be selecting WAN in the first place, ugh!)
On application level, there are other ACLs (hosts_allow_sip, hosts_deny_sip) available as well, not just hosts_allow_reg, not sure if these are wanted to be configured or not.
Updated by Kill Bill over 7 years ago
Done with 1.1.3 (https://github.com/pfsense/FreeBSD-ports/pull/147), can be closed.
Updated by Jim Pingle over 7 years ago
- Status changed from Confirmed to Resolved