Wednesday, October 4, 2017

Background: What is an RTP Bleed attack ?

now that hopefully everybody has updated to GnuGk 4.7 here is a little bit of background information on the latest security update:

RTP bleed is an attack that allows the attacker to redirect the RTP media stream (or parts of it) to his own IP without even having to manipulate any IP routing or being in a man-in-the-middle position. It also has good potential to mount a denial of service attack.

This vulnerability is not specific to GnuGk or H.323. It exists in a number of telephony products and RTP proxies. recently Asterisk was found to be vulnerable.

How is this attack possible ?

Originally H.323 announced all the ports that it intended to use inside the signaling and all was well. Then came firewalls and today most endpoints live on private IPs and have no idea what their public IP might be or which port the NAT router assigns then.

Thus H.323 introduced port detection in the form or H.460.19 which only works with registered endpoints and GnuGk extends that to unregistered endpoints with the IgnoreSignaledIPs=1 switch.

This works very well, but it means that GnuGk has to listen to RTP from any IP address and then send RTP for the other direction to what ever IP the sender appears to have. An attacker can now try to send its own RTP packets and trick GnuGk into believing they come from the call participants. And thats really easy, since RTP itself doesn't carry any form of authentication. When receiving such a malicious RTP packet at the right time, GnuGk
would thus send the media stream to the attacker.

The first step to reducing the attack surface is to stop allowing incoming RTP packets to change the send destination after the initial port detection is done. GnuGk has always done this for H.460.19, but not for unregistered calls until version 4.7.

Unfortunately this still leaves the possibility for an attacker to try to send RTP packets before the real call participants do. And since RTP is UDP, it can easily be sent with a spoofed source address to turn this into a hard do defend against denial of service attack.

Since H.323 doesn't make any requirements where RTP will come from, you can't defend against this remaining vulnerability without disrupting some valid configurations.

But is most cases RTP will come from the same IP or at least the same network where the signaling comes from. Thus GnuGk introduces a new switch in version 4.7 so you can tell GnuGk to only accept RTP from these IPs (RestrictRTPSources=Net). Thus an attacker would have to be inside the calling parties network to cause harm which is way more
difficult that to be just anywhere on the internet.

If you use a load balancer or routed mode gatekeepers distributed over multiple networks, you need to take more elaborate steps to secure your network, but the vast majority of users should be able to secure their configurations with RestrictRTPSources=Net. Since we violate the H.323 standard a bit here, the switch is off by default and you will
need to set it explicitly.

I hope this clarifies the issue and explains why you should update and secure your configuration!