From 699005a0cded5114fe183c16656d3d2f1ea5b09f Mon Sep 17 00:00:00 2001 From: Terry Wilson Date: Mon, 21 Nov 2011 20:23:55 +0000 Subject: [PATCH] Default to nat=yes; warn when nat in general and peer differ It is possible to enumerate SIP usernames when the general and user/peer nat settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport and the other was nat=no. In order to address this problem, it was decided to switch the default behavior to nat=yes/force_rport as it is the most commonly used option and to strongly discourage setting nat per-peer/user when at all possible. For more discussion of the issue, please see: http://lists.digium.com/pipermail/asterisk-dev/2011-November/052191.html (closes issue ASTERISK-18862) Review: https://reviewboard.asterisk.org/r/1591/ ........ Merged revisions 345776 from http://svn.asterisk.org/svn/asterisk/branches/1.4 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@345800 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- CHANGES | 12 ++++++++++++ channels/chan_sip.c | 37 +++++++++++++++++++++++++------------ configs/sip.conf.sample | 17 +++++++++-------- 3 files changed, 46 insertions(+), 20 deletions(-) diff --git a/CHANGES b/CHANGES index f200a60c1f..63ed23bf39 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,18 @@ === ====================================================================== +------------------------------------------------------------------------------ +--- Functionality changes since Asterisk 1.6.2.20 ------------- +------------------------------------------------------------------------------ + +SIP Changes +----------- + * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf + now defaults to yes. It is very important that phones requiring nat=no be + specifically set as such instead of relying on the default setting. If at all + possible, all devices should have nat settings configured in the general section as + opposed to configuring nat per-device. + ------------------------------------------------------------------------------ --- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2 ------------- ------------------------------------------------------------------------------ diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 328643e844..a9a5085078 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -24164,15 +24164,14 @@ static int handle_common_options(struct ast_flags *flags, struct ast_flags *mask } } else if (!strcasecmp(v->name, "nat")) { ast_set_flag(&mask[0], SIP_NAT); - ast_clear_flag(&flags[0], SIP_NAT); - if (!strcasecmp(v->value, "never")) - ast_set_flag(&flags[0], SIP_NAT_NEVER); - else if (!strcasecmp(v->value, "route")) - ast_set_flag(&flags[0], SIP_NAT_ROUTE); - else if (ast_true(v->value)) - ast_set_flag(&flags[0], SIP_NAT_ALWAYS); - else - ast_set_flag(&flags[0], SIP_NAT_RFC3581); + ast_set_flag(&flags[0], SIP_NAT_ALWAYS); + if (!strcasecmp(v->value, "never")) { + ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_NEVER); + } else if (!strcasecmp(v->value, "route")) { + ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_ROUTE); + } else if (ast_false(v->value)) { + ast_set_flags_to(&flags[0], SIP_NAT, SIP_NAT_RFC3581); + } } else if (!strcasecmp(v->name, "directmedia") || !strcasecmp(v->name, "canreinvite")) { ast_set_flag(&mask[0], SIP_REINVITE); ast_clear_flag(&flags[0], SIP_REINVITE); @@ -25124,6 +25123,18 @@ static int peer_markall_func(void *device, void *arg, int flags) return 0; } +static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) { + int global_nat, specific_nat; + + if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT))) { + ast_log(LOG_WARNING, "!!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the global setting can make\n"); + ast_log(LOG_WARNING, "!!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users\n"); + ast_log(LOG_WARNING, "!!! will be sent to a different port than replies for an existing peer/user. If at all possible,\n"); + ast_log(LOG_WARNING, "!!! use the global 'nat' setting and do not set 'nat' per peer/user.\n"); + ast_log(LOG_WARNING, "!!! (config category='%s' global='%s' peer/user='%s')\n", cat, nat2str(global_nat), nat2str(specific_nat)); + } +} + /*! \brief Re-read SIP.conf config file \note This function reloads all config data, except for active peers (with registrations). They will only @@ -25338,9 +25349,10 @@ static int reload_config(enum channelreloadreason reason) ast_copy_string(default_mohinterpret, DEFAULT_MOHINTERPRET, sizeof(default_mohinterpret)); ast_copy_string(default_mohsuggest, DEFAULT_MOHSUGGEST, sizeof(default_mohsuggest)); ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten)); - ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */ - ast_set_flag(&global_flags[0], SIP_NAT_RFC3581); /*!< NAT support if requested by device with rport */ - ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */ + ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */ + ast_set_flag(&global_flags[0], SIP_NAT_RFC3581); /*!< NAT support if requested by device with rport */ + ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */ + ast_set_flag(&global_flags[0], SIP_NAT_ALWAYS); /*!< Default to nat=yes */ ast_set_flag(&global_flags[1], SIP_PAGE2_FORWARD_LOOP_DETECTED); /*!< Set up call forward on 482 Loop Detected */ /* Debugging settings, always default to off */ @@ -25993,6 +26005,7 @@ static int reload_config(enum channelreloadreason reason) } peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0); if (peer) { + display_nat_warning(cat, reason, &peer->flags[0]); ao2_t_link(peers, peer, "link peer into peers table"); if ((peer->type & SIP_TYPE_PEER) && peer->addr.sin_addr.s_addr) { ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table"); diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample index 1eafdb6b49..e9abacc554 100644 --- a/configs/sip.conf.sample +++ b/configs/sip.conf.sample @@ -660,10 +660,18 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; The following settings are allowed (both globally and in individual sections): ; ; nat = no ; default. Use NAT mode only according to RFC3581 (;rport) -; nat = yes ; Always ignore info and assume NAT +; nat = yes ; Always ignore info and assume NAT (default) ; nat = never ; Never attempt NAT mode or RFC3581 support ; nat = route ; route = Assume NAT, don't send rport ; ; (work around more UNIDEN bugs) +; +; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from +; the nat setting in a peer definition, then the peer username will be discoverable +; by outside parties as Asterisk will respond to different ports for defined and +; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE +; GENERAL SECTION. Specifically, if nat=route or nat=yes in one section and nat=no or +; nat=never in the other, then valid users with settings differing from those in the +; general section will be discoverable. ;----------------------------------- MEDIA HANDLING -------------------------------- ; By default, Asterisk tries to re-invite media streams to an optimal path. If there's @@ -990,12 +998,10 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls type=friend [natted-phone](!,basic-options) ; another template inheriting basic-options - nat=yes directmedia=no host=dynamic [public-phone](!,basic-options) ; another template inheriting basic-options - nat=no directmedia=yes [my-codecs](!) ; a template for my preferred codecs @@ -1030,7 +1036,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; on incoming calls to Asterisk ;host=192.168.0.23 ; we have a static but private IP address ; No registration allowed -;nat=no ; there is not NAT between phone and Asterisk ;directmedia=yes ; allow RTP voice traffic to bypass Asterisk ;dtmfmode=info ; either RFC2833 or INFO for the BudgeTone ;call-limit=1 ; permit only 1 outgoing call and 1 incoming call at a time @@ -1060,7 +1065,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;regexten=1234 ; When they register, create extension 1234 ;callerid="Jane Smith" <5678> ;host=dynamic ; This device needs to register -;nat=yes ; X-Lite is behind a NAT router ;directmedia=no ; Typically set to NO if behind NAT ;disallow=all ;allow=gsm ; GSM consumes far less bandwidth than ulaw @@ -1131,9 +1135,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;type=friend ;secret=blah ;qualify=200 ; Qualify peer is no more than 200ms away -;nat=yes ; This phone may be natted - ; Send SIP and RTP to the IP address that packet is - ; received from instead of trusting SIP headers ;host=dynamic ; This device registers with us ;directmedia=no ; Asterisk by default tries to redirect the ; RTP media stream (audio) to go directly from -- 2.47.2