Back to news

AST-2009-007: ACL not respected on SIP INVITE

#
Author: Matt Riddell
Daily Asterisk News
Ask Question

A security vulnerability in Asterisk 1.6 really needs your machines to be updated to avoid:

               Asterisk Project Security Advisory - AST-2009-007

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | ACL not respected on SIP INVITE                   |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Unauthorized calls allowed on prohibited networks |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthorized session                       |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | October 18, 2009                                  |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Thomas Athineou       |
   |--------------------+---------------------------------------------------|
   |     Posted On      | October 26, 2009                                  |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | October 26, 2009                                  |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Jeff Peeler            |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | A missing ACL check for handling SIP INVITEs allows a    |
   |             | device to make calls on networks intended to be          |
   |             | prohibited as defined by the "deny" and "permit" lines   |
   |             | in sip.conf. The ACL check for handling SIP              |
   |             | registrations was not affected.                          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Users should upgrade to a version listed in the           |
   |            | "Corrected In" section below.                             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product            | Release Series |                       |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.2.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.4.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.6.x      | All 1.6.1 versions    |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.2.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.4.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.6.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     A.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     B.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     C.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |          AsteriskNOW          |      1.5       | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |  s800i (Asterisk Appliance)   |     1.2.x      | Unaffected            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |         Open Source Asterisk 1.6.1          |         1.6.1.8          |
   +------------------------------------------------------------------------+

  +----------------------------------------------------------------------------+
  |                                  Patches                                   |
  |----------------------------------------------------------------------------|
  |                              SVN URL                               |Version|
  |--------------------------------------------------------------------+-------|
  |http://downloads.digium.com/pub/security/AST-2009-007-1.6.1.diff.txt| 1.6.1 |
  +----------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-007.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-007.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |          Date          |      Editor      |       Revisions Made       |
   |------------------------+------------------+----------------------------|
   | October 26, 2009       | Jeff Peeler      | Initial release            |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-007
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


Comments


Related posts

Back to top

Ready to supercharge your business?

Dialer pricing from only $300 per month!