[asterisk-announce] AST-2010-003: Invalid parsing of ACL rules can compromise security

Asterisk Security Team security at asterisk.org
Thu Feb 25 16:28:13 CST 2010


               Asterisk Project Security Advisory - AST-2010-003

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Invalid parsing of ACL rules can compromise       |
   |                    | security                                          |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Unauthorized access to system                     |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | Feb 24, 2010                                      |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Mark Michelson                                    |
   |--------------------+---------------------------------------------------|
   |     Posted On      | Feb 25, 2010                                      |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | February 25, 2010                                 |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Mark Michelson < mmichelson AT digium DOT com >   |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Host access rules using "permit=" and "deny="            |
   |             | configurations behave unpredictably if the CIDR notation |
   |             | "/0" is used. Depending on the system's behavior, this   |
   |             | may act as desired, but in other cases it might not,     |
   |             | thereby allowing access from hosts that should be        |
   |             | denied.                                                  |
   |             |                                                          |
   |             | Note that even if an unauthorized host is allowed access |
   |             | due to this exploit, authentication measures still in    |
   |             | place would prevent further unauthorized access.         |
   |             |                                                          |
   |             | Note also that there is a workaround for this problem,   |
   |             | which is to use the dotted-decimal format "/0.0.0.0"     |
   |             | instead of CIDR notation. The bug does not exist when    |
   |             | using this format. In addition, this format is what is   |
   |             | used in Asterisk's sample configuration files.           |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Code has been corrected to behave consistently on all     |
   |            | systems when "/0" is used.                                |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.6.x  | All 1.6.0, 1.6.1 and 1.6.2      |
   |                            |         | releases                        |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.6.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  C.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |   1.5   | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.2.x  | Unaffected                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |              Product               |              Release              |
   |------------------------------------+-----------------------------------|
   |              Asterisk              |             1.6.0.25              |
   |------------------------------------+-----------------------------------|
   |              Asterisk              |             1.6.1.17              |
   |------------------------------------+-----------------------------------|
   |              Asterisk              |              1.6.2.5              |
   +------------------------------------------------------------------------+

   +-------------------------------------------------------------------------+
   |                                 Patches                                 |
   |-------------------------------------------------------------------------|
   |                               URL                                |Branch|
   |------------------------------------------------------------------+------|
   |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.0 |
   |------------------------------------------------------------------+------|
   |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.1 |
   |------------------------------------------------------------------+------|
   |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.2 |
   +-------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2010-003.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2010-003.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |        Editor        |       Revisions Made        |
   |-------------------+----------------------+-----------------------------|
   | Feb 24, 2010      | Mark Michelson       | Initial Advisory            |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2010-003
              Copyright (c) 2010 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-announce mailing list