<p>Kevin Harwell <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/9159">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  Jenkins2: Verified
  Kevin Harwell: Looks good to me, approved; Approved for Submit

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.<br><br>When endpoint specific ACL rules block a SIP request they respond with a<br>403 forbidden.  However, if an endpoint is not identified then a 401<br>unauthorized response is sent.  This vulnerability just discloses which<br>requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain<br>access to the disclosed endpoints.<br><br>* Made endpoint specific ACL rules now respond with a 401 unauthorized<br>which is the same as if an endpoint were not identified.  The fix is<br>accomplished by replacing the found endpoint with the artificial endpoint<br>which always fails authentication.<br><br>ASTERISK-27818<br><br>Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32<br>---<br>M res/res_pjsip/pjsip_distributor.c<br>1 file changed, 30 insertions(+), 8 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c<br>index 7f512d1..5173817 100644<br>--- a/res/res_pjsip/pjsip_distributor.c<br>+++ b/res/res_pjsip/pjsip_distributor.c<br>@@ -676,6 +676,26 @@<br>      ao2_unlock(unid);<br> }<br> <br>+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);<br>+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);<br>+<br>+static void apply_acls(pjsip_rx_data *rdata)<br>+{<br>+   struct ast_sip_endpoint *endpoint;<br>+<br>+        /* Is the endpoint allowed with the source or contact address? */<br>+    endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];<br>+   if (endpoint != artificial_endpoint<br>+          && (apply_endpoint_acl(rdata, endpoint)<br>+                      || apply_endpoint_contact_acl(rdata, endpoint))) {<br>+           ast_debug(1, "Endpoint '%s' not allowed by ACL\n",<br>+                 ast_sorcery_object_get_id(endpoint));<br>+<br>+             /* Replace the rdata endpoint with the artificial endpoint. */<br>+               ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);<br>+    }<br>+}<br>+<br> static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)<br> {<br>         struct ast_sip_endpoint *endpoint;<br>@@ -694,6 +714,7 @@<br>                       ao2_unlink(unidentified_requests, unid);<br>                      ao2_ref(unid, -1);<br>            }<br>+            apply_acls(rdata);<br>            return PJ_FALSE;<br>      }<br> <br>@@ -753,6 +774,8 @@<br>                     ast_sip_report_invalid_endpoint(name, rdata);<br>                 }<br>     }<br>+<br>+ apply_acls(rdata);<br>    return PJ_FALSE;<br> }<br> <br>@@ -836,16 +859,11 @@<br> <br>     ast_assert(endpoint != NULL);<br> <br>-     if (endpoint!=artificial_endpoint) {<br>-         if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {<br>-                    if (!is_ack) {<br>-                               pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);<br>-                   }<br>-                    return PJ_TRUE;<br>-              }<br>+    if (is_ack) {<br>+                return PJ_FALSE;<br>      }<br> <br>- if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {<br>+   if (ast_sip_requires_authentication(endpoint, rdata)) {<br>               pjsip_tx_data *tdata;<br>                 struct unidentified_request *unid;<br> <br>@@ -881,6 +899,10 @@<br>                   return PJ_TRUE;<br>               }<br>             pjsip_tx_data_dec_ref(tdata);<br>+        } else if (endpoint == artificial_endpoint) {<br>+                /* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */<br>+          pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);<br>+           return PJ_TRUE;<br>       }<br> <br>  return PJ_FALSE;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/9159">change 9159</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/9159"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 15.4 </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32 </div>
<div style="display:none"> Gerrit-Change-Number: 9159 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Richard Mudgett <rmudgett@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins2 </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>