From asteriskteam at digium.com Tue Feb 2 16:28:59 2010 From: asteriskteam at digium.com (Asterisk Development Team) Date: Tue, 02 Feb 2010 17:28:59 -0500 Subject: [asterisk-announce] Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 Released Message-ID: <4B68A72B.6010704@digium.com> The Asterisk Development Team has announced security releases for Asterisk as the following versions: * 1.6.0.22 * 1.6.1.14 * 1.6.2.2 These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/ The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include the fix described in security advisory AST-2010-001. The issue is that an attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash will occur when the FaxMaxDatagram field is omitted from the SDP, as well. For more information about the details of this vulnerability, please read the security advisory AST-2009-009, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.22 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.2 Security advisory AST-2010-001 is available at: http://downloads.asterisk.org/pub/security/AST-2010-001.pdf Thank you for your continued support of Asterisk! From security at asterisk.org Tue Feb 2 16:40:17 2010 From: security at asterisk.org (Asterisk Security Team) Date: Tue, 02 Feb 2010 16:40:17 -0600 Subject: [asterisk-announce] AST-2010-001: T.38 Remote Crash Vulnerability Message-ID: Asterisk Project Security Advisory - AST-2010-001 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | T.38 Remote Crash Vulnerability | |----------------------+-------------------------------------------------| | Nature of Advisory | Denial of Service | |----------------------+-------------------------------------------------| | Susceptibility | Remote unauthenticated sessions | |----------------------+-------------------------------------------------| | Severity | Critical | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | 12/03/09 | |----------------------+-------------------------------------------------| | Reported By | issues.asterisk.org users bklang and elsto | |----------------------+-------------------------------------------------| | Posted On | 02/03/10 | |----------------------+-------------------------------------------------| | Last Updated On | February 2, 2010 | |----------------------+-------------------------------------------------| | Advisory Contact | David Vossel < dvossel AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | CVE-2010-0441 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | An attacker attempting to negotiate T.38 over SIP can | | | remotely crash Asterisk by modifying the FaxMaxDatagram | | | field of the SDP to contain either a negative or | | | exceptionally large value. The same crash occurs when | | | the FaxMaxDatagram field is omitted from the SDP as | | | well. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to one of the versions of Asterisk listed in the | | | "Corrected In" section, or apply a patch specified in the | | | "Patches" section. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |----------------------------------+----------------+--------------------| | Asterisk Open Source | 1.6.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Business Edition | C.3 | All versions | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |------------------------------------------+-----------------------------| | Asterisk Open Source | 1.6.0.22 | |------------------------------------------+-----------------------------| | Asterisk Open Source | 1.6.1.14 | |------------------------------------------+-----------------------------| | Asterisk Open Source | 1.6.2.2 | |------------------------------------------+-----------------------------| | | C.3.3.2 | +------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ | Patches | |-------------------------------------------------------------------------| | SVN URL |Branch| |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diff|v1.6.0| |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.1.diff|v1.6.1| |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.2.diff|v1.6.2| +-------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | https://issues.asterisk.org/view.php?id=16634 | | | | | | https://issues.asterisk.org/view.php?id=16724 | | | | | | https://issues.asterisk.org/view.php?id=16517 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/.pdf and | | http://downloads.digium.com/pub/security/.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |----------------+----------------------+--------------------------------| | 02/02/10 | David Vossel | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2010-001 Copyright (c) 2010 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. From asteriskteam at digium.com Thu Feb 11 14:57:18 2010 From: asteriskteam at digium.com (Asterisk Development Team) Date: Thu, 11 Feb 2010 15:57:18 -0500 Subject: [asterisk-announce] Asterisk 1.2.39 Now Available Message-ID: <4B746F2E.5060103@digium.com> The Asterisk Development Team has announced the release of Asterisk 1.2.39. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/ Asterisk 1.2.38 was created, but not released, to resolve two regression fixes caused by security updates. Prior to the release of Asterisk 1.2.38, one additional regression fix has been resolved, causing the release of Asterisk 1.2.39. * Fixes regression caused by randomized call numbers. (Closes issue #15997) Reported by exarv. Patched by dvossel. For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.39 Thank you for your continued support of Asterisk! From security at asterisk.org Thu Feb 18 17:46:21 2010 From: security at asterisk.org (Asterisk Security Team) Date: Thu, 18 Feb 2010 17:46:21 -0600 Subject: [asterisk-announce] AST-2010-002: Dialplan injection vulnerability Message-ID: Asterisk Project Security Advisory - AST-2010-002 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | Dialplan injection vulnerability | |----------------------+-------------------------------------------------| | Nature of Advisory | Data injection vulnerability | |----------------------+-------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |----------------------+-------------------------------------------------| | Severity | Critical | |----------------------+-------------------------------------------------| | Exploits Known | Yes | |----------------------+-------------------------------------------------| | Reported On | 10/02/10 | |----------------------+-------------------------------------------------| | Reported By | Hans Petter Selasky | |----------------------+-------------------------------------------------| | Posted On | 16/02/10 | |----------------------+-------------------------------------------------| | Last Updated On | February 18, 2010 | |----------------------+-------------------------------------------------| | Advisory Contact | Leif Madsen < lmadsen AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | A common usage of the ${EXTEN} channel variable in a | | | dialplan with wildcard pattern matches can lead to a | | | possible string injection vulnerability. By having a | | | wildcard match in a dialplan, it is possible to allow | | | unintended calls to be executed, such as in this | | | example: | | | | | | exten => _X.,1,Dial(SIP/${EXTEN}) | | | | | | If you have a channel technology which can accept | | | characters other than numbers and letters (such as SIP) | | | it may be possible to craft an INVITE which sends data | | | such as 300&Zap/g1/4165551212 which would create an | | | additional outgoing channel leg that was not originally | | | intentioned by the dialplan programmer. | | | | | | Usage of the wildcard character is common in dialplans | | | that require variable number length, such as European | | | dial strings. | | | | | | Please note that this is not limited to an specific | | | protocol or the Dial() application. | | | | | | The expansion of variables into | | | programmatically-interpreted strings is a common | | | behavior in many script or script-like languages, | | | Asterisk included. The ability for a variable to | | | directly replace components of a command is a feature, | | | not a bug - that is the entire point of string | | | expansion. | | | | | | However, it is often the case due to expediency or | | | design misunderstanding that a developer will not | | | examine and filter string data from external sources | | | before passing it into potentially harmful areas of | | | their dialplan. With the flexibility of the design of | | | Asterisk come these risks if the dialplan designer is | | | not suitably | | | cautious as to how foreign data is allowed to continue | | | into the system. | | | | | | This security release is intended to raise awareness of | | | how it is possible to insert malicious strings into | | | dialplans, and to advise developers to read the best | | | practices documents so that they may easily avoid these | | | dangers. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | One resolution is to wrap the ${EXTEN} channel variable | | | with the FILTER() dialplan function to only accept | | | characters which are expected by the dialplan programmer. | | | The recommendation is for this to be the first priority | | | in all contexts defined as incoming contexts in the | | | channel driver configuration files. | | | | | | Examples of this and other best practices can be found in | | | the new README-SERIOUSLY.bestpractices.txt document in | | | the top level folder of your Asterisk sources. | | | | | | Asterisk 1.2.40 has also been released with a backport of | | | the FILTER() dialplan function from 1.4 in order to | | | provide the tools required to resolve this issue in your | | | dialplan. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |------------------------------+----------------+------------------------| | Asterisk Open Source | 1.2.x | All versions | |------------------------------+----------------+------------------------| | Asterisk Open Source | 1.4.x | All versions | |------------------------------+----------------+------------------------| | Asterisk Open Source | 1.6.x | All versions | |------------------------------+----------------+------------------------| | Asterisk Business Edition | B.x.x | All versions | |------------------------------+----------------+------------------------| | Asterisk Business Edition | C.x.x | All versions | |------------------------------+----------------+------------------------| | Switchvox | None | No versions affected | +------------------------------------------------------------------------+ +---------------------------------------------------------------------------------------------+ | Document | |---------------------------------------------------------------------------------------------| | SVN URL |Branch| |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.2/README-SERIOUSLY.bestpractices.txt |v1.2 | |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.4/README-SERIOUSLY.bestpractices.txt |v1.4 | |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.0/README-SERIOUSLY.bestpractices.txt|v1.6.0| |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.1/README-SERIOUSLY.bestpractices.txt|v1.6.1| |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.2/README-SERIOUSLY.bestpractices.txt|v1.6.2| +---------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |------------------------------------------+-----------------------------| | Open Source Asterisk | 1.2.40 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | https://issues.asterisk.org/view.php?id=16810 | | | | | | https://issues.asterisk.org/view.php?id=16808 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2010-002.pdf and | | http://downloads.digium.com/pub/security/AST-2010-002.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+--------------------+---------------------------------| | 16/02/10 | Leif Madsen | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2010-002 Copyright (c) 2010 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. From asteriskteam at digium.com Thu Feb 18 17:51:58 2010 From: asteriskteam at digium.com (Asterisk Development Team) Date: Thu, 18 Feb 2010 18:51:58 -0500 Subject: [asterisk-announce] Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 Now Available Message-ID: <4B7DD29E.7060302@digium.com> The Asterisk Development Team has announced security releases for the following versions of Asterisk: * 1.2.40 * 1.4.29.1 * 1.6.0.24 * 1.6.1.16 * 1.6.2.4 These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/ The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 include documention describing a possible dialplan string injection with common usage of the ${EXTEN} (and other expansion variables). The issue and resolution are described in the AST-2010-002 security advisory. If you have a channel technology which can accept characters other than numbers and letters (such as SIP) it may be possible to craft an INVITE which sends data such as 300&Zap/g1/4165551212 which would create an additional outgoing channel leg that was not originally intended by the dialplan programmer. Please note that this is not limited to an specific protocol or the Dial() application. The expansion of variables into programmatically-interpreted strings is a common behavior in many script or script-like languages, Asterisk included. The ability for a variable to directly replace components of a command is a feature, not a bug - that is the entire point of string expansion. However, it is often the case due to expediency or design misunderstanding that a developer will not examine and filter string data from external sources before passing it into potentially harmful areas of their dialplan. With the flexibility of the design of Asterisk come these risks if the dialplan designer is not suitably cautious as to how foreign data is allowed to enter the system unchecked. This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers. For more information about the details of this vulnerability, please read the security advisory AST-2010-002, which was released at the same time as this announcement. Asterisk 1.2.40 also contains a backported dialplan function called FILTER() in order to allow the filtering of strings as described in the best practices document. It should also be noted that the 1.6.x series of Asterisk had release candidates available as versions 1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2. These will either be released as 1.6.0.25, 1.6.1.17, and 1.6.2.5, or if another round of RC changes is necessary, those versions numbers will be used with -rc1 appended. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29.1 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.24 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4 Security advisory AST-2010-002 is available at: http://downloads.asterisk.org/pub/security/AST-2010-002.pdf The README-SERIOUSLY.bestpractices.txt document is available in the top-level directory of your Asterisk sources, or available in all Asterisk branches from 1.2 and up. http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt Thank you for your continued support of Asterisk! From security at asterisk.org Thu Feb 25 16:28:13 2010 From: security at asterisk.org (Asterisk Security Team) Date: Thu, 25 Feb 2010 16:28:13 -0600 Subject: [asterisk-announce] AST-2010-003: Invalid parsing of ACL rules can compromise security Message-ID: Asterisk Project Security Advisory - AST-2010-003 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Invalid parsing of ACL rules can compromise | | | security | |--------------------+---------------------------------------------------| | Nature of Advisory | Unauthorized access to system | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Moderate | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | Feb 24, 2010 | |--------------------+---------------------------------------------------| | Reported By | Mark Michelson | |--------------------+---------------------------------------------------| | Posted On | Feb 25, 2010 | |--------------------+---------------------------------------------------| | Last Updated On | February 25, 2010 | |--------------------+---------------------------------------------------| | Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > | |--------------------+---------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Host access rules using "permit=" and "deny=" | | | configurations behave unpredictably if the CIDR notation | | | "/0" is used. Depending on the system's behavior, this | | | may act as desired, but in other cases it might not, | | | thereby allowing access from hosts that should be | | | denied. | | | | | | Note that even if an unauthorized host is allowed access | | | due to this exploit, authentication measures still in | | | place would prevent further unauthorized access. | | | | | | Note also that there is a workaround for this problem, | | | which is to use the dotted-decimal format "/0.0.0.0" | | | instead of CIDR notation. The bug does not exist when | | | using this format. In addition, this format is what is | | | used in Asterisk's sample configuration files. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Code has been corrected to behave consistently on all | | | systems when "/0" is used. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.2.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.4.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.6.x | All 1.6.0, 1.6.1 and 1.6.2 | | | | releases | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.2.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.4.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.6.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | A.x.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | B.x.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | C.x.x | Unaffected | |----------------------------+---------+---------------------------------| | AsteriskNOW | 1.5 | Unaffected | |----------------------------+---------+---------------------------------| | s800i (Asterisk Appliance) | 1.2.x | Unaffected | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |------------------------------------+-----------------------------------| | Asterisk | 1.6.0.25 | |------------------------------------+-----------------------------------| | Asterisk | 1.6.1.17 | |------------------------------------+-----------------------------------| | Asterisk | 1.6.2.5 | +------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ | Patches | |-------------------------------------------------------------------------| | URL |Branch| |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.0 | |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.1 | |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.2 | +-------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2010-003.pdf and | | http://downloads.digium.com/pub/security/AST-2010-003.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-------------------+----------------------+-----------------------------| | Feb 24, 2010 | Mark Michelson | Initial Advisory | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2010-003 Copyright (c) 2010 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. From asteriskteam at digium.com Thu Feb 25 16:39:30 2010 From: asteriskteam at digium.com (Asterisk Development Team) Date: Thu, 25 Feb 2010 17:39:30 -0500 Subject: [asterisk-announce] Asterisk 1.6.0.25, 1.6.1.17, and 1.6.2.5 Now Available Message-ID: <4B86FC22.8020708@digium.com> The Asterisk Development Team has announced security releases for the following versions of Asterisk: * 1.6.0.25 * 1.6.1.17 * 1.6.2.5 These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/ The releases of Asterisk 1.6.0.25, 1.6.1.17, and 1.6.2.5 resolve an issue with invalid parsing of ACL (Access Control List) rules leading to a possible compromise in security. The issue and resolution are described in the AST-2010-003 security advisory. For more information about the details of this vulnerability, please read the security advisory AST-2010-003, which was released at the same time as this announcement. It should also be noted that release candidates for the 1.6.x series of Asterisk have been skipped (1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2). New release candidates will be released as 1.6.0.26-rc1, 1.6.1.18-rc1, and 1.6.2.6-rc1 pending another security release. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.25 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.17 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.5 Security advisory AST-2010-003 is available at: http://downloads.asterisk.org/pub/security/AST-2010-003.pdf Thank you for your continued support of Asterisk!