[sr-dev] Security announcement related to Kamailio

Henning Westerholt hw at kamailio.org
Mon Mar 19 19:51:17 CET 2018 

Am Montag, 19. März 2018, 09:49:55 CET schrieb Henning Westerholt:
> as already announced from Daniel-Constantin Mierla on the lists last
> Wednesday [1], we strongly advise you to update your Kamailio installation
> to the latest stable release for security reasons.
> 
> All supported releases (4.4, 5.0. and 5.1) contains two important security
> fixes related to the tmx and lcr module.
> [..]

Hello,

I'd like to add a few clarifications and also a configuration workaround for 
people that for some reasons can't update timely.


The issues were fixed before the 4.4.7, 5.0.6, and 5.1.2 releases (on Feb 5
the lcr and Feb 10 the tmx fix) in the respective stable branches. 

So if you are already running the 4.4.7, 5.0.6 or 5.1.2 release then you have 
already the fixes deployed. If you don't use the tmx or lcr module, you are of 
course also save.

You'll find all information about this issue consolidated on our web page at:

https://www.kamailio.org/w/2018/03/kamailio-security-announcement-tmx-lcr/



Details for the configuration workarounds:

For tmx, a length check can be added before checking for re-transmissions (or 
at the beginning of request_route):

if($(ci{s.len) + $(hdr(CSeq){s.len}) + $(ft{s.len}) + $(sel(v.branch){s.len)) 
>= 254) {
   sl_send_reply("500", "Not accepted");
   exit;
}

For lcr, the check should be on dialed number ($rU - r-uri username). The 
issue is exposed if the length of new request URI after lcr operations is over 
256 (load_gws()+next_gw() -- with strip and prefix operations, new host, port, 
params).

However, only $rU is used from incoming message, the rest of the attributes 
are taken from lcr database tables. A good check could be a max 32 length for 
$rU (this is supposed to be a telephone number, so it is a decent upper 
limit). If exceeding, the call should be rejected:

if($(rU{s.len) > 32) {
   sl_send_reply("500", "Not accepted");
   exit;
}

Based on common usage out there, usual host names, port and parameters length 
should exceed 256. But if someone is having long values for those fields, they 
should double check if the limit is exceeded.

This check should be done before use of load_gws().


Best regards,

Henning Westerholt
Kamailio Project

More information about the sr-dev mailing list