[asterisk-bugs] [JIRA] (ASTERISK-24956) security issue when finding peers for incoming call leg
Paolo Compagnini (JIRA)
noreply at issues.asterisk.org
Mon Apr 13 12:14:32 CDT 2015
Paolo Compagnini created ASTERISK-24956:
-------------------------------------------
Summary: security issue when finding peers for incoming call leg
Key: ASTERISK-24956
URL: https://issues.asterisk.org/jira/browse/ASTERISK-24956
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Channels/chan_sip/General
Reporter: Paolo Compagnini
let's say you have setup a friend with host=dynamic with the name ABC123 and the user is registered. This user is behind NAT and all devices in LAN uses the same public IP.
Now if someone in the same LAN send a call to this asterisk he doen't need to authorize because asterisk will search for the src-ip in ipaddr and will find "ABC123"
Asterisk should never use the "ipaddr" for searching.
only "host" should be used. Since the user has "host=dynamic" no peer will be found. A friend with host=dynamic should always authenticate with user/password.
to be backward compatible a switch in sip.conf can be used.
This also applies to other scenarios. i.e. some ISP's have single IP-addesses for multiple users. take DS-Lite for example. Or small ISP's that have only a few IPv4 addresses where customer share this IP-addresses.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list