[asterisk-bugs] [Asterisk 0016091]: Security Problem

Asterisk Bug Tracker noreply at bugs.digium.com
Tue Oct 20 00:03:33 CDT 2009 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=16091 
====================================================================== 
Reported By:                thom4fun
Assigned To:                ebroad
====================================================================== 
Project:                    Asterisk
Issue ID:                   16091
Category:                   Channels/chan_sip/General
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     assigned
Asterisk Version:           1.6.1.6 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-10-18 03:22 CDT
Last Modified:              2009-10-20 00:03 CDT
====================================================================== 
Summary:                    Security Problem
Description: 
We use Asterisk 1.6.1.6.

It seems that Asterisk will ignore the deny and permit values.
I have a try just like in 1.4.... where it works fine, but if I use the
values:
deny=0.0.0.0/0.0.0.0
permit=192.168.30.10
the call will be executed from everywhere.

Also I try the insecure option but I do not find a reason to give some
special clients the possibility to make an invite without authentication.
It looks like: Everybody or Nobody!

Also we try to use these options in the file sip.conf and PGSQL database.

Are there some hints to get deny/permit to work?

Regards
Thomas

====================================================================== 

---------------------------------------------------------------------- 
 (0112443) thom4fun (reporter) - 2009-10-20 00:03
 https://issues.asterisk.org/view.php?id=16091#c112443 
---------------------------------------------------------------------- 
I change to:
[12345]
type=user
context=athineou
secret=333
host=dynamic
deny=0.0.0.0/0.0.0.0
permit=192.168.99.60/255.255.255.255
insecure=invite 
nat=yes

because the asterisk has a public IP and I am behind NAT
but deny will ignore, you can dial from everywhere...
the client is not registerd!!!

(I do sip reload and also restart) 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-10-20 00:03 thom4fun       Note Added: 0112443                          
======================================================================

More information about the asterisk-bugs mailing list