[asterisk-bugs] [Asterisk 0014675]: Security Vulnerability

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Mar 16 11:03:49 CDT 2009 

The following issue has been SUBMITTED. 
====================================================================== 
http://bugs.digium.com/view.php?id=14675 
====================================================================== 
Reported By:                Nick_Lewis
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   14675
Category:                   Channels/chan_sip/General
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           1.6.1.0-rc2 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-03-16 11:03 CDT
Last Modified:              2009-03-16 11:03 CDT
====================================================================== 
Summary:                    Security Vulnerability
Description: 
The IETF have published a description of a SIP security vulnerability at

http://tools.ietf.org/id/draft-state-sip-relay-attack-00.txt

It proposes that user agent clients (such as asterisk with sip trunks)
mitigate the threat by accepting incoming invites only from a configured
outbound proxy:

"This means that [the] UA shall only accept SIP messages with a source IP
address set to the outbound proxy's IP address"

In the current implementation asterisk does try to perform some IP address
matching on incoming SIP invites but this does not include matching to the
outbound proxy.
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-03-16 11:03 Nick_Lewis     New Issue                                    
2009-03-16 11:03 Nick_Lewis     Asterisk Version          => 1.6.1.0-rc2     
2009-03-16 11:03 Nick_Lewis     Regression                => No              
2009-03-16 11:03 Nick_Lewis     SVN Branch (only for SVN checkouts, not tarball
releases) => N/A             
======================================================================

More information about the asterisk-bugs mailing list