search

sipwise / rtpengine

The Sipwise media proxy for Kamailio
GNU General Public License v3.0
765 stars 362 forks source link

security: RTPengine may fully disable existing firewall #1785

Closed gaaf closed 5 months ago

gaaf commented 5 months ago

rtpengine version the issue has been seen with

12.2.1.0

Used distribution and its version

Debian 10

Linux kernel version used

4.19.0-25-amd64 (4.19.289)

CPU architecture issue was seen on (see uname -m)

x86_64

Expected behaviour you didn't see

Not touching iptables' INPUT chain's policy.

Unexpected behaviour you saw

When rtpengine starts, it creates a new iptables chain (rtpengine) and a rule in the INPUT chain to pass all udp traffic to the rtpengine chain. Nothing wrong here, except:

It also changes the INPUT chain policy from DROP to ACCEPT. This may open up the host to outside attacks.

Tested with all nftables-* options on default (not specified).

Steps to reproduce the problem

Before (policy = DROP):

# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   55 52485 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
   15  1744 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
...etc

Start rtpengine:

# systemctl start ngcp-rtpengine-daemon

After (policy = ACCEPT):

# iptables -nvL
Chain INPUT (policy ACCEPT 3 packets, 180 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   620 rtpengine  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  132  113K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
  237 29002 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
...etc

Chain rtpengine (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   620 RTPENGINE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            RTPENGINE id:0

Additional program output to the terminal or logs illustrating the issue

No response

Anything else?

No response