Bugzilla – Bug 372239
VUL-0: AST-2008-003: Unauthenticated calls allowed from
Last modified: 2009-10-14 02:12:35 UTC
Your friendly security team received the following report via full-disclosure. Please respond ASAP. The issue is public. Date: Tue, 18 Mar 2008 18:29:22 -0500 From: Asterisk Security Team <security@asterisk.org> To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] AST-2008-003: Unauthenticated calls allowed from SIP channel driver Asterisk Project Security Advisory - AST-2008-003 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Unauthenticated calls allowed from SIP channel | | | driver | |--------------------+---------------------------------------------------| | Nature of Advisory | Authentication Bypass | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Major | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | March 12, 2008 | |--------------------+---------------------------------------------------| | Reported By | Jason Parker <jparker@digium.com> | |--------------------+---------------------------------------------------| | Posted On | March 18, 2008 | |--------------------+---------------------------------------------------| | Last Updated On | March 18, 2008 | |--------------------+---------------------------------------------------| | Advisory Contact | Jason Parker <jparker@digium.com> | |--------------------+---------------------------------------------------| | CVE Name | CVE-2008-1332 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Unauthenticated calls can be made via the SIP channel | | | driver using an invalid From header. This acts similarly | | | to the SIP configuration option 'allowguest=yes', in | | | that calls with a specially crafted From header would be | | | sent to the PBX in the context specified in the general | | | section of sip.conf. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | A fix has been added which checks for the option | | | 'allowguest' to be enabled before determining that | | | authentication is not required. | | | | | | As a workaround, modify the context in the general | | | section of sip.conf to point to a non-trusted location | | | (example: a non-existent context, or a context that does | | | nothing but hang up the call). | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |------------------------------+---------+-------------------------------| | Asterisk Open Source | 1.0.x | All versions | |------------------------------+---------+-------------------------------| | Asterisk Open Source | 1.2.x | All versions prior to 1.2.27 | |------------------------------+---------+-------------------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.18.1 and 1.4.19-rc3 | |------------------------------+---------+-------------------------------| | Asterisk Business Edition | A.x.x | All versions | |------------------------------+---------+-------------------------------| | Asterisk Business Edition | B.x.x | All versions prior to B.2.5.1 | |------------------------------+---------+-------------------------------| | Asterisk Business Edition | C.x.x | All versions prior to C.1.6.2 | |------------------------------+---------+-------------------------------| | AsteriskNOW | 1.0.x | All versions prior to 1.0.2 | |------------------------------+---------+-------------------------------| | Asterisk Appliance Developer | SVN | All versions prior to | | Kit | | Asterisk 1.4 revision 109393 | |------------------------------+---------+-------------------------------| | s800i (Asterisk Appliance) | 1.0.x | All versions prior to 1.1.0.2 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------+--------------------------------------------------------| | Asterisk Open | 1.2.27, 1.4.18.1/1.4.19-rc3, available from | | Source | http://downloads.digium.com/pub/telephony/asterisk | |---------------+--------------------------------------------------------| | Asterisk | B.2.5.1, C.1.6.2 | | Business | | | Edition | | |---------------+--------------------------------------------------------| | AsteriskNOW | 1.0.2, available from http://www.asterisknow.org/ | | | | | | Current users can update using the system update | | | feature in the appliance control panel. | |---------------+--------------------------------------------------------| | Asterisk | Asterisk 1.4 revision 109393. Available by performing | | Appliance | an svn update of the AADK tree. | | Developer Kit | | |---------------+--------------------------------------------------------| | s800i | 1.1.0.2 | | (Asterisk | | | Appliance) | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2008-003.pdf and | | http://downloads.digium.com/pub/security/AST-2008-003.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |------------------+---------------------+-------------------------------| | 2008-03-18 | Jason Parker | Initial Release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2008-003 Copyright (c) 2008 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
The asterisk team issued three more security advisories at the same time: AST-2008-002: Two buffer overflows in RTP Codec Payload Handling http://downloads.digium.com/pub/security/AST-2008-002.pdf AST-2008-004: Format String Vulnerability in Logger and Manager http://downloads.digium.com/pub/security/AST-2008-004.pdf AST-2008-005: HTTP Manager ID is predictable http://downloads.digium.com/pub/security/AST-2008-004.pdf Please advice if I shall address them as well.
Ah - they all don't affect version 1.2, so we don't need to address them.
Fixed packages submitted to 10.2 and 10.1.
MaintenanceTracker-17109
updates released
CVE-2008-1332: CVSS v2 Base Score: 8.8 (AV:N/AC:M/Au:N/C:C/I:C/A:N)