[asterisk-security] AST-2009-007: ACL not respected on SIP INVITE

Asterisk Security Team security at asterisk.org
Mon Oct 26 15:26:49 CDT 2009


               Asterisk Project Security Advisory - AST-2009-007

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | ACL not respected on SIP INVITE                   |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Unauthorized calls allowed on prohibited networks |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthorized session                       |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | October 18, 2009                                  |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Thomas Athineou <thom_winkler AT web DOT de>      |
   |--------------------+---------------------------------------------------|
   |     Posted On      | October 26, 2009                                  |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | October 26, 2009                                  |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Jeff Peeler <jpeeler AT digium DOT com>           |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | A missing ACL check for handling SIP INVITEs allows a    |
   |             | device to make calls on networks intended to be          |
   |             | prohibited as defined by the "deny" and "permit" lines   |
   |             | in sip.conf. The ACL check for handling SIP              |
   |             | registrations was not affected.                          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Users should upgrade to a version listed in the           |
   |            | "Corrected In" section below.                             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product            | Release Series |                       |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.2.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.4.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.6.x      | All 1.6.1 versions    |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.2.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.4.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.6.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     A.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     B.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     C.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |          AsteriskNOW          |      1.5       | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |  s800i (Asterisk Appliance)   |     1.2.x      | Unaffected            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |         Open Source Asterisk 1.6.1          |         1.6.1.8          |
   +------------------------------------------------------------------------+

  +----------------------------------------------------------------------------+
  |                                  Patches                                   |
  |----------------------------------------------------------------------------|
  |                              SVN URL                               |Version|
  |--------------------------------------------------------------------+-------|
  |http://downloads.digium.com/pub/security/AST-2009-007-1.6.1.diff.txt| 1.6.1 |
  +----------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-007.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-007.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |          Date          |      Editor      |       Revisions Made       |
   |------------------------+------------------+----------------------------|
   | October 26, 2009       | Jeff Peeler      | Initial release            |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-007
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-security mailing list