[test-results] [Bamboo] Asterisk Testing > Certified Asterisk 1.8.11 Branch > #30 has FAILED (10 tests failed, 8 failures were new). Change made by Matthew Jordan.

Bamboo bamboo at asterisk.org
Fri Aug 31 07:45:58 CDT 2012 

-----------------------------------------------------------------------
Asterisk Testing > Certified Asterisk 1.8.11 Branch > #30 failed.
-----------------------------------------------------------------------
Code has been updated by Matthew Jordan.
10/182 tests failed, 8 failures were new.

http://bamboo.asterisk.org/browse/TESTING-ASTERISKCERTIFIED1811-30/


--------------
Failing Jobs
--------------
  - Asterisk 1.8 CentOS 6 64-Bit (CentOS 6): 10 of 182 tests failed.



--------------
Code Changes
--------------
Matthew Jordan (372030):

>ST-2012-012: Resolve AMI User Unauthorized Shell Access through ExternalIVR
>
>The AMI Originate action can allow a remote user to specify information that can
>be used to execute shell commands on the system hosting Asterisk. This can
>result in an unwanted escalation of permissions, as the Originate action, which    
>requires the "originate" class authorization, can be used to perform actions
>that would typically require the "system" class authorization. Previous attempts
>to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
>to do so by inspecting the names of applications and functions passed in with
>the Originate action and, if those applications/functions matched a predefined
>set of values, rejecting the command if the user lacked the "system" class
>authorization. As reported by IBM X-Force Research, the "ExternalIVR"
>application is not listed in the predefined set of values. The solution for     
>this particular vulnerability is to include the "ExternalIVR" application in the
>set of defined applications/functions that require "system" class authorization.             
>          
>Unfortunately, the approach of inspecting fields in the Originate action against
>known applications/functions has a significant flaw. The predefined set of
>values can be bypassed by creative use of the Originate action or by certain
>dialplan configurations, which is beyond the ability of Asterisk to analyze at
>run-time. Attempting to work around these scenarios would result in severely         
>restricting the applications or functions and prevent their usage for legitimate
>means. As such, any additional security vulnerabilities, where an
>application/function that would normally require the "system" class
>authorization can be executed by users with the "originate" class authorization,
>will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
>been updated to reflect that the AMI Originate action can result in commands
>requiring the "system" class authorization to be executed. Proper system
>configuration can limit the impact of such scenarios.         
>          
>(closes issue ASTERISK-20132)
>Reported by: Zubair Ashraf of IBM X-Force Research
>
>AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers
>
>When an IAX2 call is made using the credentials of a peer defined in a dynamic
>Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
>not applied to the call attempt. This allows for a remote attacker who is aware
>of a peer's credentials to bypass the ACL rules set for that peer.
>
>This patch ensures that the ACLs are applied for all peers, regardless of their
>storage mechanism.
>
>(closes issue ASTERISK-20186)
>Reported by: Alan Frisch
>Tested by: mjordan, Alan Frisch
>
>



--------------
Tests
--------------
New Test Failures (8)
   - AsteriskTestSuite: S/channels/ s i p/noload res srtp
   - AsteriskTestSuite: S/fastagi/get-data
   - AsteriskTestSuite: S/channels/ s i p/noload res srtp attempt srtp
   - AsteriskTestSuite: S/channels/ s i p/sip srtp
   - AsteriskTestSuite: S/fastagi/hangup
   - AsteriskTestSuite: S/fastagi/execute
   - AsteriskTestSuite: S/fastagi/record-file
   - AsteriskTestSuite: S/channels/ s i p/secure bridge media
Existing Test Failures (2)
   - AsteriskTestSuite: S/channels/ s i p/sip blind transfer/callee refer only
   - AsteriskTestSuite: S/channels/ s i p/sip blind transfer/callee with reinvite

--
This message is automatically generated by Atlassian Bamboo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/test-results/attachments/20120831/33c3310b/attachment-0001.htm>

More information about the Test-results mailing list