[asterisk-dev] AST-2012-013: ACL rules ignored when placing outbound calls by certain IAX2 users

Asterisk Security Team security at asterisk.org
Thu Aug 30 15:45:33 CDT 2012


               Asterisk Project Security Advisory - AST-2012-013

         Product        Asterisk                                              
         Summary        ACL rules ignored when placing outbound calls by      
                        certain IAX2 users                                    
    Nature of Advisory  Unauthorized use of system                            
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Moderate                                              
      Exploits Known    None                                                  
       Reported On      07/27/2012                                            
       Reported By      Alan Frisch                                           
        Posted On       08/30/2012                                            
     Last Updated On    August 30, 2012                                       
     Advisory Contact   Matt Jordan < mjordan AT digium DOT com >             
         CVE Name       CVE-2012-4737                                         

    Description  When an IAX2 call is made using the credentials of a peer    
                 defined in a dynamic Asterisk Realtime Architecture (ARA)    
                 backend, the ACL rules for that peer are not applied to the  
                 call attempt. This allows for a remote attacker who is       
                 aware of a peer's credentials to bypass the ACL rules set    
                 for that peer.                                               

    Resolution  The ACL rules for peers defined in an ARA backend are now     
                honored. Users of chan_iax2 should upgrade to the corrected   
                versions; apply a provided patch; or define their IAX2 peers  
                outside of an ARA backend in a static configuration file.     

                               Affected Versions
                Product                Release Series     
         Asterisk Open Source               1.8.x         All versions        
         Asterisk Open Source               10.x          All versions        
          Certified Asterisk               1.8.11         All versions        
         Asterisk Digiumphones       10.x.x-digiumphones  All versions        
       Asterisk Business Edition            C.3.x         All versions        

                                  Corrected In
                   Product                              Release               
             Asterisk Open Source                   1.8.15.1, 10.7.1          
              Certified Asterisk                      1.8.11-cert7            
            Asterisk Digiumphones                 10.7.1-digiumphones         
          Asterisk Business Edition                     C.3.7.6               

                                    Patches                         
                               SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2012-013.1.8.diff Asterisk  
                                                                    1.8       
   http://downloads.asterisk.org/pub/security/AST-2012-013.10.diff  Asterisk  
                                                                    10        

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-20186       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2012-013.pdf and             
    http://downloads.digium.com/pub/security/AST-2012-013.html                

                                Revision History
          Date                 Editor                  Revisions Made         
    08/27/2012         Matt Jordan              Initial Revision              

               Asterisk Project Security Advisory - AST-2012-013
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-dev mailing list