Project

General

Profile

Actions

Bug #6632

closed

siproxd hosts_allow_reg should be configurable

Added by Robert Jordan over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
siproxd
Target version:
-
Start date:
07/20/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:

Description

siproxd is providing a configuration option "hosts_allow_reg" which
implements a positive access control list for hosts allowed
to SIP REGISTER.

If this option is not set, and the SIP port 5060 is wide open at
the firewall, anyone is able to send fake SIP REGISTER requests
to siproxd.

Issues:

1) this may lead to a DoS attack because the size of the list of
registrations is surely bound to some limit. This situation is aggravated
by the fact that registrations remain active even if the upstream SIP
server has rejected the request.

2) specially crafted SIP REGISTER requests might be used to discover
the internal topology of the network behind the firewall.

A packet sent to siproxd over the WAN interface:

-- begin of packet --
REGISTER sip:some.sip-provider.com SIP/2.0
Via: SIP/2.0/UDP 192.168.0.169:5060
...
--- end of packet ---

is causing this error message in siproxd:

22:30:27 ERROR:sock.c:445 sendto() [192.168.0.169:5060 size=730] call failed: Host is down

This means that siproxd is actually trying to connect to 192.168.0.169 (the faked
IP from the Via-Header). This could be misused for various replay attacks as well.

To cut a long story short: we need a (preferably mandatory and preset to the
LAN's network) GUI setting for "hosts_allow_reg".

Actions #1

Updated by Chris Buechler over 7 years ago

  • Subject changed from Insecure default configuration to siproxd hosts_allow_reg should be configurable
  • Status changed from New to Confirmed
  • Private changed from Yes to No
  • Affected Version changed from 2.3.1 to All

if you open siproxd on WAN in firewall rules, you get what you're asking for security-wise. No shortage of potential problems inherent in that. That said, hosts_allow_reg should be configurable, maybe even required to be configured.

Actions #2

Updated by Kill Bill over 7 years ago

Chris Buechler wrote:

if you open siproxd on WAN in firewall rules, you get what you're asking for security-wise. No shortage of potential problems inherent in that. That said, hosts_allow_reg should be configurable, maybe even required to be configured.

The package has firewall hooks to configure the rules automatically. IMNSHO this should simply hide WAN from the Inbound Interface list (plus people shouldn't be selecting WAN in the first place, ugh!)

On application level, there are other ACLs (hosts_allow_sip, hosts_deny_sip) available as well, not just hosts_allow_reg, not sure if these are wanted to be configured or not.

Actions #3

Updated by Kill Bill over 7 years ago

Done with 1.1.3 (https://github.com/pfsense/FreeBSD-ports/pull/147), can be closed.

Actions #4

Updated by Jim Pingle over 7 years ago

  • Status changed from Confirmed to Resolved
Actions

Also available in: Atom PDF