now that hopefully everybody has updated to GnuGk 4.7 here is a little bit of background information on the latest security update:
RTP bleed is an attack that allows the attacker to redirect the RTP media stream (or parts of it) to his own IP without even having to manipulate any IP routing or being in a man-in-the-middle position. It also has good potential to mount a denial of service attack.
This vulnerability is not specific to GnuGk or H.323. It exists in a number of telephony products and RTP proxies. recently Asterisk was found to be vulnerable.
How is this attack possible ?
Originally H.323 announced all the ports that it intended to use inside the signaling and all was well. Then came firewalls and today most endpoints live on private IPs and have no idea what their public IP might be or which port the NAT router assigns then.
Thus H.323 introduced port detection in the form or H.460.19 which only works with registered endpoints and GnuGk extends that to unregistered endpoints with the IgnoreSignaledIPs=1 switch.
This works very well, but it means that GnuGk has to listen to RTP from any IP address and then send RTP for the other direction to what ever IP the sender appears to have. An attacker can now try to send its own RTP packets and trick GnuGk into believing they come from the call participants. And thats really easy, since RTP itself doesn't carry any form of authentication. When receiving such a malicious RTP packet at the right time, GnuGk
would thus send the media stream to the attacker.
The first step to reducing the attack surface is to stop allowing incoming RTP packets to change the send destination after the initial port detection is done. GnuGk has always done this for H.460.19, but not for unregistered calls until version 4.7.
Unfortunately this still leaves the possibility for an attacker to try to send RTP packets before the real call participants do. And since RTP is UDP, it can easily be sent with a spoofed source address to turn this into a hard do defend against denial of service attack.
Since H.323 doesn't make any requirements where RTP will come from, you can't defend against this remaining vulnerability without disrupting some valid configurations.
But is most cases RTP will come from the same IP or at least the same network where the signaling comes from. Thus GnuGk introduces a new switch in version 4.7 so you can tell GnuGk to only accept RTP from these IPs (RestrictRTPSources=Net). Thus an attacker would have to be inside the calling parties network to cause harm which is way more
difficult that to be just anywhere on the internet.
If you use a load balancer or routed mode gatekeepers distributed over multiple networks, you need to take more elaborate steps to secure your network, but the vast majority of users should be able to secure their configurations with RestrictRTPSources=Net. Since we violate the H.323 standard a bit here, the switch is off by default and you will
need to set it explicitly.
I hope this clarifies the issue and explains why you should update and secure your configuration!
Wednesday, October 4, 2017
Thursday, September 21, 2017
GNU Gatekeeper 4.7 (security update)
This version is purely a security update and has no new features. All users are encouraged to update, especially if you use port detection (IgnoreSignaledIPs=1) you should update ASAP.
It has been discovered that GnuGk is vulnerable in some configurations for RTP bleed attacks (https://rtpbleed.com/). By updating to version 4.7 only the first packets in each media stream influence the media destination.
To further secure your configuration, you can set
[Proxy]
RestrictRTPSources=Net
to only accept RTP from the same class C network that the call signaling came from. Please beware that this may break a few valid calls where this condition isn't met.
You can download the new version from
https://www.gnugk.org/h323download.html
Please see the full change log below.
Changes from 4.6 to 4.7
It has been discovered that GnuGk is vulnerable in some configurations for RTP bleed attacks (https://rtpbleed.com/). By updating to version 4.7 only the first packets in each media stream influence the media destination.
To further secure your configuration, you can set
[Proxy]
RestrictRTPSources=Net
to only accept RTP from the same class C network that the call signaling came from. Please beware that this may break a few valid calls where this condition isn't met.
You can download the new version from
https://www.gnugk.org/h323download.html
Please see the full change log below.
Changes from 4.6 to 4.7
- fixes for RTP Bleed
- new switch [Proxy] RestrictRTPSources=IP or Net to limit accepting RTP from the call signal IPs or the respective class C network
- new switch [Proxy] LegacyPortDetection=1 to keep port detection help for some very old and broken endpoints that will make your gatekeeper vulnerable to RTP Bleed attacks
- BUGFIX(ProxyChannel.cxx) replace @ip or ip## from aliases when using RedirectCallsToGkIP
- BUGFIX(ProxyChannel.cxx) better initialization of sendmsg() structs
- new command line option: now you can use -S instead of --strict (needed on BSD systems)
Monday, September 4, 2017
GNU Gatekeeper 4.6 is out
I'm happy to announce that GNU Gatekeeper version 4.6 has just been
released.
This version has a few new features as well as bug fixes.
New features:
Bug fixes:
You can download the new version from
https://www.gnugk.org/h323download.html
Please see the full change log below.
Changes from 4.5 to 4.6
released.
This version has a few new features as well as bug fixes.
New features:
- least used routing: distribute calls evenly between gateways or MCUs (new switch [RasSrv::ARQFeatures] LeastUsedRouting=1)
- ability to log to the Unix syslog instead of the trace file (new switch [LogFile] TraceToSyslog=1)
- new authentication module TwoAliasAuth this is not very safe, but you can use it with endpoints that do not support any password transmission
- new switch [CTI::MakeCall] Bandwidth= to set the maximum bandwidth for the calls generated by the GnuGk status port API
- new status port command: UnregisterEP <ep-id>
- a number of switches to fine tune TCP keepalives
- new switch to remove load balancers from the call path ([RoutedMode] RedirectCallsToGkIP=1)
Bug fixes:
- fixed TCP keepalive for H.460 calls (important!)
- fixes to port detection for unregistered calls
- audio fix when GnuGk adds encryption to calls
- many smaller fixes
You can download the new version from
https://www.gnugk.org/h323download.html
Please see the full change log below.
Changes from 4.5 to 4.6
- new switch: [RoutedMode] RedirectCallsToGkIP=1
- new switches: [RoutedMode] H460KeepAliveMethodH225=, H460KeepAliveMethodH245=, GnuGkTcpKeepAliveMethodH225=, GnuGkTcpKeepAliveMethodH245=
- BUGFIX(ProxyChannel.cxx) TCP keep-alives for H.460.18 calls weren't always enabled correctly
- don't open a status port listener if [Gatekeeper::Main] StatusPort=0
- BUGFIX(Toolkit.cxx) remove trailing chars before checking for DefaultDomain
- add callID to H.245 trace messages for easier debugging
- BUGFIX(ProxyChannel.cxx) forward ReleaseComplete from remaining party while doing call reroute
- BUGFIX(ProxyChannel.cxx) drop un-en/decryptable RTP packets at end of call when adding encryption
- new status port command: UnregisterEP <ep-id>
- BUGFIX(RasSrv.cxx) remove IPv6 addresses before processing RRQs when IPv6 is not enabled
- send Facility message as as non-H.460.18 keep-alive for H.225
- send non-standard H.245 userIndication as non-H.460.18 keep-alive for H.245
- new switch [RoutedMode] DisableGnuGkH245TcpKeepAlive=1
- new switch [LogFile] TraceToSyslog=1 to send trace output to syslog (Unix only)
- BUGFIX(ProxyChannel.cxx) fix port detection for re-opened channels with IgnoreSignaledIPs=1
- new switch [CTI::MakeCall] Bandwidth= to set the maximum bandwidth for the call
- new switch [RasSrv::ARQFeatures] LeastUsedRouting=1 to select the least used gateway
- new authentication module TwoAliasAuth
Friday, March 17, 2017
GNU Gatekeeper 4.5 released
The most important change is the implementation of TCP keepalives for H.460.18 (bugfix) and optionally for all kinds of calls (feature). This is really important for NAT traversal.
In addition to the keepalives there are a number of bugfixes and a few minor feature additions (see the change notes below).
You can download the new version from
https://www.gnugk.org/h323download.html
Full change log from 4.4 to 4.5
In addition to the keepalives there are a number of bugfixes and a few minor feature additions (see the change notes below).
You can download the new version from
https://www.gnugk.org/h323download.html
Full change log from 4.4 to 4.5
- new feature to send H.225 and H.245 keep-alives for all calls, enable with [RoutedMode] EnableGnuGkTcpKeepAlive=1, set interval with GnuGkTcpKeepAliveInterval=n
- BUGFIX(ProxyChannel.cxx) send H.225 and H.245 keep-alives when acting as H.460.18 client
- BUGFIX(ProxyChannel.cxx) disable RTP/RTCP port check for IPs in AllowedSignalIPs= when doing port detection
- [Proxy] AllowedSignalIPs= can now process a list of networks
- add shortcurt 'rl' for status port command 'rotatelog'
- new switch [CallTable] SetCalledStationIdToDialedIP=1
- new switch [CallTable] UseDestCallSignalIPAsDialedNumber=1 to place the destSignalIP into the %{DialedNumber} field if no dialed number is available in the ARQ / Setup
- BUGFIX(ProxyChannel.cxx) fix crash on invalid sourceCallSignalAddress
- add optional parameter for call transfer method to MakeCall status port command
- BUGFIX(Toolkit.*) fix bug in IP comparison
- BUGFIX(Toolkit.*) the internal networks configured with the [Proxy] InternalNetworks switch were added to the detected internal networks and didn't replace them, now they replace them as documented
Friday, January 6, 2017
GNU Gatekeeper 4.4 released
GNU Gatekeeper 4.4 was released today. This is mainly a bug fix release
with only 2 new features.
If you use SSH on your status port you are urged to update as soon as
possible and also if you use LUA scripting. Two serious bugs have been
fixed for these features where GnuGk can be crashed remotely.
A new feature is the RequireOneNet policy that allows you to restrict
access to publicly accessible traversal gatekeepers. Now you can easily
define that one end of all calls must terminate in one of your own
networks and prevent abuse of your resources by 3rd parties.
The other new feature is a significant improvement to the MakeCall
command on the status port. It is now able to establish video calls and
supports virtually all endpoints by using GnuGk's call reroute feature.
Changed config switches:
You can download the new version from
http://www.gnugk.org/h323download.html
Please see the full change log below.
These know bugs haven't been addressed, yet:
Changes from 4.3 to 4.4
with only 2 new features.
If you use SSH on your status port you are urged to update as soon as
possible and also if you use LUA scripting. Two serious bugs have been
fixed for these features where GnuGk can be crashed remotely.
A new feature is the RequireOneNet policy that allows you to restrict
access to publicly accessible traversal gatekeepers. Now you can easily
define that one end of all calls must terminate in one of your own
networks and prevent abuse of your resources by 3rd parties.
The other new feature is a significant improvement to the MakeCall
command on the status port. It is now able to establish video calls and
supports virtually all endpoints by using GnuGk's call reroute feature.
Changed config switches:
- [Proxy] ProxyForNAT now defaults to OFF
- [CTI::MakeCall] DisableFastStart has been removed, fastStart is now always disabled
You can download the new version from
http://www.gnugk.org/h323download.html
Please see the full change log below.
These know bugs haven't been addressed, yet:
- when GnuGk acts as a H.460.18 client (as client in a H.460.18 traversal zone with another gatekeeper or as child gatekeeper), it currently does not send a keep-alive on the Q.931 TCP connection during a call
- bandwidth management currently only applies to calls from registered endpoints and ignores unregistered calls completely
Changes from 4.3 to 4.4
- [CTI::MakeCall] TransferMethod can now also be Reroute, DisableFastStart switch removed
- BUGFIX(MakeCall.cxx) fix MakeCall bearer capabilities to support video calls
- BUGFIX(ProxyChannel.cxx) don't send Notify after call Reroute: Polycom RealPresens starts a flood of Status messages
- BUGFIX(GkStatus.cxx) call ssh_init() and ssh_finalize() only on application start and shutdown
- BUGFIX(ProxyChannel.cxx) fix IP check for IgnoreSignaledPrivateH239IPs= switch
- new accounting/authentication policy RequireOneNet
- pass full RRQ message to LuaAuth
- BUGFIX(ProxyChannel.cxx) when opening a port from a PortRange fails, try next port regardless of errno
- BUGFIX(lua.cxx) add mutex for LUA interpreter, because it is not thread safe
- added message type parameter in RouteRequest event (ARQ, Setup, LRQ)
- BUGFIX(yasocket.cxx) fix UDP with LARGE_FDSET on Solaris, OpenBSD and NetBSD
- BUGFIX(RasTbl.cxx) fix crash on invalid AliasTypeFilter setting
- changed default setting: [Proxy] ProxyForNAT now defaults to off, if you want to keep the previous behaviour, please set it explicitely
Thursday, November 17, 2016
GNU Gatekeeper 4.3 released
I'm happy to announce the release of GNU Gatekeeper 4.3.
This new version contains a number bug fixes and some security fixes.
Fuzzy testing surfaced methods to crash GnuGk remotely, causing at least a denial of service. So all users are encouraged to update.
The most notable new feature are probably the events for Setup messages on the status port so now you can see all calls. In addition, LuaAuth has been given access to more information about received messages and can end your status port sessions with Ctrl-C now.
Important bug fixes are in the H.460 NAT traversal code where sometimes keep-alive intervals could be too long in older versions and a bug where GnuGk might have missed port re-negotiations in some cases.
The IgnoreSignaledIPs port detection code also has a few bug fixes to detect cases where it should be turned off automatically because its either not needed because the parties use another form of NAT traversal or non-symmetric ports where the detection algorithm may cause more harm than good.
You can download the new version from
https://www.gnugk.org/h323download.html
Enjoy!
Changes from GnuGk 4.2 to 4.3
This new version contains a number bug fixes and some security fixes.
Fuzzy testing surfaced methods to crash GnuGk remotely, causing at least a denial of service. So all users are encouraged to update.
The most notable new feature are probably the events for Setup messages on the status port so now you can see all calls. In addition, LuaAuth has been given access to more information about received messages and can end your status port sessions with Ctrl-C now.
Important bug fixes are in the H.460 NAT traversal code where sometimes keep-alive intervals could be too long in older versions and a bug where GnuGk might have missed port re-negotiations in some cases.
The IgnoreSignaledIPs port detection code also has a few bug fixes to detect cases where it should be turned off automatically because its either not needed because the parties use another form of NAT traversal or non-symmetric ports where the detection algorithm may cause more harm than good.
You can download the new version from
https://www.gnugk.org/h323download.html
Enjoy!
Changes from GnuGk 4.2 to 4.3
- BUGFIX(ProxyChannel.cxx, gkh235.cxx, gkauth.h) fix crashes found with PROTOS
- new authentication policies LuaPasswordAuth, HttpPasswordAuth
- BUGFIX(configure.in) fix check for LUA 5.2 or higher
- connection to the status port can now also be ended with Ctrl-C
- new switch [Routing::DNS] RewriteARQDestination= to preserve URLs in ARQs
- disable IgnoreSignaledIPs when one party is not using the same RTP ports for forward and reverse channels in same RTP session
- BUGFIX(RasTbl.cxx) don't allow higher TTL for H.460.18 registrations than set by H46018KeepAliveInterval= switch
- add variables message, srcInfo and vendor to LuaAuth
- print message on status port when Setup is received
- BUGFIX(ProxyChannel.cxx) disregard IgnoreSignaledIPs=1 switch when caller supports some form of NAT traversal (to avoid both sides waiting for first RTP packet)
- BUGFIX(ProxyChannel.cxx) enable H.245 tunneling for H.460.17 even when Innovaphone forgets the flag
- BUGFIX(ProxyChannel.cxx) make sure CRV is 0 for all RAS messages when using H.460.17 even when they relate to a call
- BUGFIX(ProxyChannel.cxx) re-do H.460.19 port detection when a new logical channel is opened on the same port
- print number of CPU cores and thread configuration on startup
- BUGFIX(RasTbl.cxx) fix display of H.460.17 for registrations on status port
- BUGFIX(ProxyChannel.cxx) fix dead lock causing reroutes to fail
Saturday, October 8, 2016
Mobile H.323 endpoints revisited
If you are looking for a free H.323 endpoint to connect to the GNU Gatekeeper, mobile apps for smartphones and tablets seem to offer the widest variety of choice right now.
My personal favorite are the RealPresence apps from Polycom, available for iOS and Android. They offer you to sign in with a Polycom account, but you can simply skip this and just register with any H.323 gatekeeper in the settings.
http://support.polycom.com/PolycomService/support/us/support/video/realpresence_mobile/realpresence_mobile.html
Collaborate Mobile is also a good choice and also available for iOS and Android from the respective app stores.
https://play.google.com/store/apps/details?id=com.clearone.collaborate
https://itunes.apple.com/us/app/collaborate-mobile/id824952324?mt=8
Yealink VC Mobile is relatively new, but seems to work find with GnuGk, too.
https://play.google.com/store/apps/details?id=com.yealink.videophone
https://itunes.apple.com/de/app/yealink-vcm/id1114669846?mt=8
There used to be an Android version of BeedHD, but now its only available for iOS.
https://itunes.apple.com/de/app/beehd/id639912661?mt=8
I have dropped Sony IPELA from the list, because their apps seem to hang up without any visible reason after a few seconds in the call.
Here is my older post about free mobile H.323 endpoints for reference.
Polycom
My personal favorite are the RealPresence apps from Polycom, available for iOS and Android. They offer you to sign in with a Polycom account, but you can simply skip this and just register with any H.323 gatekeeper in the settings.
http://support.polycom.com/PolycomService/support/us/support/video/realpresence_mobile/realpresence_mobile.html
ClearOne
Collaborate Mobile is also a good choice and also available for iOS and Android from the respective app stores.
https://play.google.com/store/apps/details?id=com.clearone.collaborate
https://itunes.apple.com/us/app/collaborate-mobile/id824952324?mt=8
Yealink
Yealink VC Mobile is relatively new, but seems to work find with GnuGk, too.
https://play.google.com/store/apps/details?id=com.yealink.videophone
https://itunes.apple.com/de/app/yealink-vcm/id1114669846?mt=8
Radvision
There used to be an Android version of BeedHD, but now its only available for iOS.
https://itunes.apple.com/de/app/beehd/id639912661?mt=8
I have dropped Sony IPELA from the list, because their apps seem to hang up without any visible reason after a few seconds in the call.
Here is my older post about free mobile H.323 endpoints for reference.
Subscribe to:
Posts (Atom)