RTP Bleed: Dangerous vulnerability to intercept VoIP traffic

In the popular IP telephony solution Asterisk, a vulnerability has been discovered that allows you to inject RTP packets into a conversation or listen for RTP traffic.

How it works

To exploit the vulnerability, an attacker needs to send an RTP packet to the server port to which the RTP stream is currently attached. If the server is vulnerable, it will respond with RTP Stream packets destined for the subscriber who actually uses this port to talk. This vulnerability does not require an attacker to be between the server and the subscriber. Although it resembles heartbleed in name, in fact, the vulnerability rather allows for a MITM attack.

This becomes possible due to the operation of some RTP proxies. In the process of solving “problems” associated with the delivery of RTP packets using NAT, the proxy does not require any authentication to enter into its internal table information about the final IP address and port to which RTP responses should be sent so that they are delivered to the subscriber. The RTP proxy “remembers” the IP / Port pairs based on which IP / port the proxy receives RTP packets from the subscriber.

Thus, in order to receive packets from a third-party subscriber, you only need to know the RTP port that is used by the subscriber and start sending RTP packets to it, thereby misleading the RTP proxy.
')
Vulnerabilities are affected by Asterisk versions from 11.4.0 to 14.6.1.

You can learn more about the problem on the official website of the vulnerability rtpbleed.com

Instruments

To check if your systems are vulnerable to RTP Bleed, you can use the free rtpnatscan tool.

To install, you need to clone the repository and compile the utilities.

git clone https://github.com/kapejod/rtpnatscan.git cd rtpnatscan make rtpnatscan make rtcpnatscan 

Next, you need to make a call, check which ports are used for RTP, for example through Asterisk CLI

 asterisk -r rtp set debug on 

Then, on a third-party machine, run the rtpnatscan scan and try to get the RTP packets

 ./rtpnatscan  _ _ _ 

To do this, you do not need to use any MITM techniques, like ARP spoofing. You just need to be able to send RTP packets to the vulnerable server and port.

If the remote server sent RTP packets in response, then your configuration is vulnerable.

rtpnatscan is only a scanner and does not allow to listen to the conversation.

In addition to the rtpnatscan utility, there is a paid tool with more features.

How to protect

First you need to check whether your systems are vulnerable to RTP Bleed with the tool described above.

There is an official patch for Asterisk, but it does not completely close the vulnerability, so there is an additional patch , which is also recommended to be applied.

If it is not possible to install a patch, do not set the nat = yes parameter in the Asterisk configuration, if this is acceptable in your case.

It is also recommended to use encryption of voice traffic so that even when intercepting RTP packets, the attacker does not get access to confidential information.