<<< Date Index >>>     <<< Thread Index >>>

AST-2007-027 - Database matching order permits host-based authentication to be ignored



               Asterisk Project Security Advisory - AST-2007-027

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Database matching order permits host-based        |
   |                    | authentication to be ignored                      |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Logic error                                       |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | October 30, 2007                                  |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Tilghman Lesher <tlesher AT digium DOT com>       |
   |--------------------+---------------------------------------------------|
   |     Posted On      | December 18, 2007                                 |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | December 18, 2007                                 |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Tilghman Lesher <tlesher AT digium DOT com>       |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2007-6430                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Due to the way database-based registrations ("realtime") |
   |             | are processed, IP addresses are not checked when the     |
   |             | username is correct and there is no password. An         |
   |             | attacker may impersonate any user using host-based       |
   |             | authentication without a secret, simply by guessing the  |
   |             | username of that user. This is limited in scope to       |
   |             | administrators who have set up the registration database |
   |             | ("realtime") for authentication and are using only       |
   |             | host-based authentication, not passwords. However, both  |
   |             | the SIP and IAX protocols are affected.                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | As a workaround, administrators may set a password for    |
   |            | all users and peers in their registration "realtime"      |
   |            | database. A fix is included in the newest release of      |
   |            | Asterisk, as provided below.                              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | All versions prior to       |
   |                            |             | 1.2.26                      |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | All versions prior to       |
   |                            |             | 1.4.16                      |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    A.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    B.x.x    | All versions prior to       |
   |                            |             | B.2.3.6                     |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    C.x.x    | All versions prior to       |
   |                            |             | C.1.0-beta8                 |
   |----------------------------+-------------+-----------------------------|
   |        AsteriskNOW         | pre-release | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |     Asterisk Appliance     |    0.x.x    | Not affected                |
   |       Developer Kit        |             |                             |
   |----------------------------+-------------+-----------------------------|
   | s800i (Asterisk Appliance) |    1.0.x    | Not affected                |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                  |          Release           |
   |-------------------------------------------+----------------------------|
   |           Asterisk Open Source            |           1.2.26           |
   |-------------------------------------------+----------------------------|
   |           Asterisk Open Source            |           1.4.16           |
   |-------------------------------------------+----------------------------|
   |         Asterisk Business Edition         |          B.2.3.6           |
   |-------------------------------------------+----------------------------|
   |         Asterisk Business Edition         |        C.1.0-beta8         |
   |-------------------------------------------+----------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2007-027.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2007-027.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2007-12-18      | Tilghman Lesher        | Initial Release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-027
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.