[asterisk-dev] Fwd: AST-2010-003: Invalid parsing of ACL rules can compromise security
Bhrugu Mehta
bhrugumehta at gmail.com
Thu Feb 25 23:00:35 CST 2010
hi,
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.0 |
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.1 |
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.2 |
this not working. so pls correct this.
regards,
---------- Forwarded message ----------
From: Asterisk Security Team <security at asterisk.org>
Date: Fri, Feb 26, 2010 at 3:58 AM
Subject: [asterisk-dev] AST-2010-003: Invalid parsing of ACL rules can
compromise security
To: asterisk-dev at lists.digium.com
Asterisk Project Security Advisory - AST-2010-003
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Invalid parsing of ACL rules can compromise |
| | security |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Unauthorized access to system |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | Feb 24, 2010 |
|--------------------+---------------------------------------------------|
| Reported By | Mark Michelson |
|--------------------+---------------------------------------------------|
| Posted On | Feb 25, 2010 |
|--------------------+---------------------------------------------------|
| Last Updated On | February 25, 2010 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------+---------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | Host access rules using "permit=" and "deny=" |
| | configurations behave unpredictably if the CIDR notation |
| | "/0" is used. Depending on the system's behavior, this |
| | may act as desired, but in other cases it might not, |
| | thereby allowing access from hosts that should be |
| | denied. |
| | |
| | Note that even if an unauthorized host is allowed access |
| | due to this exploit, authentication measures still in |
| | place would prevent further unauthorized access. |
| | |
| | Note also that there is a workaround for this problem, |
| | which is to use the dotted-decimal format "/0.0.0.0" |
| | instead of CIDR notation. The bug does not exist when |
| | using this format. In addition, this format is what is |
| | used in Asterisk's sample configuration files. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Code has been corrected to behave consistently on all |
| | systems when "/0" is used. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.x | All 1.6.0, 1.6.1 and 1.6.2 |
| | | releases |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| AsteriskNOW | 1.5 | Unaffected |
|----------------------------+---------+---------------------------------|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.0.25 |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.1.17 |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.2.5 |
+------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| Patches |
|-------------------------------------------------------------------------|
| URL |Branch|
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.0 |
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.1 |
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.2 |
+-------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2010-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2010-003.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+----------------------+-----------------------------|
| Feb 24, 2010 | Mark Michelson | Initial Advisory |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2010-003
Copyright (c) 2010 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
--
Bhrugu Mehta
Sr. S/W Engineer (D&D)
VOIP,Telephony Team (Asterisk,zaptel etc.)
India
More information about the asterisk-dev
mailing list