[asterisk-users] AST-2014-012: Mixed IP address families in access control lists may permit unwanted traffic.

Asterisk Security Team security at asterisk.org
Thu Nov 20 18:14:42 CST 2014

               Asterisk Project Security Advisory - AST-2014-012

         Product        Asterisk                                              
         Summary        Mixed IP address families in access control lists     
                        may permit unwanted traffic.                          
    Nature of Advisory  Unauthorized Access                                   
      Susceptibility    Remote unauthenticated sessions                       
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      25 October, 2014                                      
       Reported By      Andreas Steinmetz                                     
        Posted On       20 November, 2014                                     
     Last Updated On    November 20, 2014                                     
     Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>         
         CVE Name       Pending                                               

    Description  Many modules in Asterisk that service incoming IP traffic    
                 have ACL options ("permit" and "deny") that can be used to   
                 whitelist or blacklist address ranges. A bug has been        
                 discovered where the address family of incoming packets is   
                 only compared to the IP address family of the first entry    
                 in the list of access control rules. If the source IP        
                 address for an incoming packet is not of the same address    
                 family as the first ACL entry, that packet bypasses all ACL  
                 rules. For ACLs whose rules are all of the same address      
                 family, there is no issue.                                   
                 Note that while the incoming packet may bypass ACL rules,    
                 the packet is still subject to any authentication            
                 requirements that the specific protocol employs.             
                 This issue affects the following parts of Asterisk           
                   * All VoIP channel drivers                                 
                   * DUNDi                                                    
                   * Asterisk Manager Interface (AMI)                         

    Resolution  The ACL code has been amended to compare the incoming         
                packet's source address family against the address families   
                for all rules.                                                

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  1.8.x   All versions  
                  Asterisk Open Source                  11.x    All versions  
                  Asterisk Open Source                  12.x    All versions  
                  Asterisk Open Source                  13.x    All versions  
                   Certified Asterisk                  1.8.28   All versions  
                   Certified Asterisk                   11.6    All versions  

                                  Corrected In
          Product                              Release                        
    Asterisk Open Source, 11.14.1, 12.7.1, 13.0.1           
     Certified Asterisk                1.8.28-cert3, 11.6-cert8               

                                 SVN URL                               Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-012-1.8.diff    Asterisk  
   http://downloads.asterisk.org/pub/security/AST-2014-012-1.8.28.diff Certified 
   http://downloads.asterisk.org/pub/security/AST-2014-012-11.diff     Asterisk  
   http://downloads.asterisk.org/pub/security/AST-2014-012-11.6.diff   Certified 
   http://downloads.asterisk.org/pub/security/AST-2014-012-12.diff     Asterisk  
   http://downloads.asterisk.org/pub/security/AST-2014-012-13.diff     Asterisk  

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-24469             

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-012.pdf and             

                                Revision History
          Date            Editor                  Revisions Made              
    5 November, 2014  Mark Michelson  Initial Advisory created                

               Asterisk Project Security Advisory - AST-2014-012
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

More information about the asterisk-users mailing list