<<< Date Index >>>     <<< Thread Index >>>

AST-2007-026 - SQL Injection issue in cdr_pgsql



               Asterisk Project Security Advisory - AST-2007-026

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | SQL Injection issue in cdr_pgsql                |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | SQL Injection                                   |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Authenticated Sessions                   |
   |----------------------+-------------------------------------------------|
   |       Severity       | Moderate                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Tilghman Lesher <tlesher AT digium DOT com>     |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Tilghman Lesher <tlesher AT digium DOT com>     |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Input buffers were not properly escaped when providing   |
   |             | the ANI and DNIS strings to the Call Detail Record       |
   |             | Postgres logging engine. An attacker could potentially   |
   |             | compromise the administrative database containing users' |
   |             | usernames and passwords used for SIP authentication,     |
   |             | among other things.                                      |
   |             |                                                          |
   |             | This module is not active by default and must be         |
   |             | configured for use by the administrator. Default         |
   |             | installations of Asterisk are not affected.              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Workaround | Convert your installation to use cdr_odbc with the        |
   |            | PgsqlODBC driver. This module provides similar            |
   |            | functionality but is not vulnerable.                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |    Resolution    | Upgrade to Asterisk release 1.4.15 or higher.       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release    |                      |
   |                                  |    Series    |                      |
   |----------------------------------+--------------+----------------------|
   |       Asterisk Open Source       |    1.0.x     | All versions         |
   |----------------------------------+--------------+----------------------|
   |       Asterisk Open Source       |    1.2.x     | 1.2.24 and previous  |
   |----------------------------------+--------------+----------------------|
   |       Asterisk Open Source       |    1.4.x     | 1.4.14 and previous  |
   |----------------------------------+--------------+----------------------|
   |    Asterisk Business Edition     |    A.x.x     | All versions         |
   |----------------------------------+--------------+----------------------|
   |    Asterisk Business Edition     |    B.x.x     | B.2.3.3 and previous |
   |----------------------------------+--------------+----------------------|
   |           AsteriskNOW            | pre-release  | None                 |
   |----------------------------------+--------------+----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x     | None                 |
   |----------------------------------+--------------+----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x     | None                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.25          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.4.15          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.3.4          |
   |---------------------------------------------+--------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2007-026.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2007-026.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2007-11-29      | Tilghman Lesher        | Initial release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-026
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.