[asterisk-bugs] [Asterisk 0014675]: Security Vulnerability
Asterisk Bug Tracker
noreply at bugs.digium.com
Mon Mar 16 11:03:49 CDT 2009
The following issue has been SUBMITTED.
======================================================================
http://bugs.digium.com/view.php?id=14675
======================================================================
Reported By: Nick_Lewis
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 14675
Category: Channels/chan_sip/General
Reproducibility: always
Severity: major
Priority: normal
Status: new
Asterisk Version: 1.6.1.0-rc2
Regression: No
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2009-03-16 11:03 CDT
Last Modified: 2009-03-16 11:03 CDT
======================================================================
Summary: Security Vulnerability
Description:
The IETF have published a description of a SIP security vulnerability at
http://tools.ietf.org/id/draft-state-sip-relay-attack-00.txt
It proposes that user agent clients (such as asterisk with sip trunks)
mitigate the threat by accepting incoming invites only from a configured
outbound proxy:
"This means that [the] UA shall only accept SIP messages with a source IP
address set to the outbound proxy's IP address"
In the current implementation asterisk does try to perform some IP address
matching on incoming SIP invites but this does not include matching to the
outbound proxy.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2009-03-16 11:03 Nick_Lewis New Issue
2009-03-16 11:03 Nick_Lewis Asterisk Version => 1.6.1.0-rc2
2009-03-16 11:03 Nick_Lewis Regression => No
2009-03-16 11:03 Nick_Lewis SVN Branch (only for SVN checkouts, not tarball
releases) => N/A
======================================================================
More information about the asterisk-bugs
mailing list