[SR-Users] Security announcement related to Kamailio
Henning Westerholt
hw at kamailio.org
Mon Mar 19 19:51:17 CET 2018
Am Montag, 19. März 2018, 09:49:55 CET schrieb Henning Westerholt:
> as already announced from Daniel-Constantin Mierla on the lists last
> Wednesday [1], we strongly advise you to update your Kamailio installation
> to the latest stable release for security reasons.
>
> All supported releases (4.4, 5.0. and 5.1) contains two important security
> fixes related to the tmx and lcr module.
> [..]
Hello,
I'd like to add a few clarifications and also a configuration workaround for
people that for some reasons can't update timely.
The issues were fixed before the 4.4.7, 5.0.6, and 5.1.2 releases (on Feb 5
the lcr and Feb 10 the tmx fix) in the respective stable branches.
So if you are already running the 4.4.7, 5.0.6 or 5.1.2 release then you have
already the fixes deployed. If you don't use the tmx or lcr module, you are of
course also save.
You'll find all information about this issue consolidated on our web page at:
https://www.kamailio.org/w/2018/03/kamailio-security-announcement-tmx-lcr/
Details for the configuration workarounds:
For tmx, a length check can be added before checking for re-transmissions (or
at the beginning of request_route):
if($(ci{s.len) + $(hdr(CSeq){s.len}) + $(ft{s.len}) + $(sel(v.branch){s.len))
>= 254) {
sl_send_reply("500", "Not accepted");
exit;
}
For lcr, the check should be on dialed number ($rU - r-uri username). The
issue is exposed if the length of new request URI after lcr operations is over
256 (load_gws()+next_gw() -- with strip and prefix operations, new host, port,
params).
However, only $rU is used from incoming message, the rest of the attributes
are taken from lcr database tables. A good check could be a max 32 length for
$rU (this is supposed to be a telephone number, so it is a decent upper
limit). If exceeding, the call should be rejected:
if($(rU{s.len) > 32) {
sl_send_reply("500", "Not accepted");
exit;
}
Based on common usage out there, usual host names, port and parameters length
should exceed 256. But if someone is having long values for those fields, they
should double check if the limit is exceeded.
This check should be done before use of load_gws().
Best regards,
Henning Westerholt
Kamailio Project
More information about the sr-users
mailing list