RTPbleed Security Alert: Asterisk Calls Can Be Intercepted

Stumbled across this article on Nerd Vittles:
http://nerdvittles.com/?p=23361

"Our testing confirms that simply blocking incoming RTP traffic on your firewall solves the problem without any Asterisk patch. In short, RTP traffic cannot originate from anonymous sources on the Internet.
Simply remove or comment out the INPUT rule that looks like this and restart IPtables:
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT"

Does anyone see any issue with this approach using:
FreePBX 13.0.190.7
Asterisk Version: 13.7.2

Hi!

Unless I am misreading this, the person who wrote this probably has limited experience in dealing with the requirements of some VoIP providers…

I know of at least one well-known provider you cannot do that with, Flowroute…

With Flowroute you establish the SIP communication with servers you know the IPs of but once the communication is established, the RTP traffic comes from a different IP.

Flowroute calls this Direct Audio, see:

https://support.flowroute.com/customer/portal/articles/1852955-port-forwarding-nat-policies-for-flowroute-s-direct-audio
(for the requirement about opening RTP ports to the whole Internet…)

https://support.flowroute.com/customer/portal/articles/1850940-what-is-flowroute-s-direct-audio-system-
(for a description of direct audio…)

I believe one of my other providers also does this but I am not a 100% sure… This is not specific to Flowroute though so while the suggestion will work with many providers, it won’t work with all of them, something the author should have said but probably did not know…

Good luck (if you try it) and have a nice day!

Nick

Most providers do NOT proxy media because

  • It can be a privacy concern
  • Having to pass audio through a server a thousand miles away typically doesn’t make sense
  • Resources, it takes additional overhead (even if trivial per user) to proxy media.

Many of you may have noticed the most recent security release for
correcting a potential RTP hijacking vulnerability when strictrtp is
enabled in conjunction with certain nat settings. In reality, it’s
very challenging to get gain and plunder from the bug due to several
mitigation strategies used in Asterisk (random rtp port selection and
large default rtp port range). ~ Matt Fredrickson (Asterisk project lead, engineering manager, fast food advocate, and sometimes engineer at Digium)

tl;dr the risk is minor, Also just update asterisk