AST-2008-003: Unauthenticated calls allowed from SIP channel driver

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: AST-2008-003: Unauthenticated calls allowed from SIP channel driver
From: Asterisk Security Team <security@xxxxxxxxxxxx>
Date: Tue, 18 Mar 2008 18:29:23 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla-Thunderbird 2.0.0.9 (X11/20080109)
               Asterisk Project Security Advisory - AST-2008-003

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Unauthenticated calls allowed from SIP channel    |
   |                    | driver                                            |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Authentication Bypass                             |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Major                                             |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | March 12, 2008                                    |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Jason Parker <jparker@xxxxxxxxxx>                 |
   |--------------------+---------------------------------------------------|
   |     Posted On      | March 18, 2008                                    |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | March 18, 2008                                    |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Jason Parker <jparker@xxxxxxxxxx>                 |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2008-1332                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Unauthenticated calls can be made via the SIP channel    |
   |             | driver using an invalid From header. This acts similarly |
   |             | to the SIP configuration option 'allowguest=yes', in     |
   |             | that calls with a specially crafted From header would be |
   |             | sent to the PBX in the context specified in the general  |
   |             | section of sip.conf.                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | A fix has been added which checks for the option          |
   |            | 'allowguest' to be enabled before determining that        |
   |            | authentication is not required.                           |
   |            |                                                           |
   |            | As a workaround, modify the context in the general        |
   |            | section of sip.conf to point to a non-trusted location    |
   |            | (example: a non-existent context, or a context that does  |
   |            | nothing but hang up the call).                            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |           Product            | Release |                               |
   |                              | Series  |                               |
   |------------------------------+---------+-------------------------------|
   |     Asterisk Open Source     |  1.0.x  | All versions                  |
   |------------------------------+---------+-------------------------------|
   |     Asterisk Open Source     |  1.2.x  | All versions prior to 1.2.27  |
   |------------------------------+---------+-------------------------------|
   |     Asterisk Open Source     |  1.4.x  | All versions prior to         |
   |                              |         | 1.4.18.1 and 1.4.19-rc3       |
   |------------------------------+---------+-------------------------------|
   |  Asterisk Business Edition   |  A.x.x  | All versions                  |
   |------------------------------+---------+-------------------------------|
   |  Asterisk Business Edition   |  B.x.x  | All versions prior to B.2.5.1 |
   |------------------------------+---------+-------------------------------|
   |  Asterisk Business Edition   |  C.x.x  | All versions prior to C.1.6.2 |
   |------------------------------+---------+-------------------------------|
   |         AsteriskNOW          |  1.0.x  | All versions prior to 1.0.2   |
   |------------------------------+---------+-------------------------------|
   | Asterisk Appliance Developer |   SVN   | All versions prior to         |
   |             Kit              |         | Asterisk 1.4 revision 109393  |
   |------------------------------+---------+-------------------------------|
   |  s800i (Asterisk Appliance)  |  1.0.x  | All versions prior to 1.1.0.2 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |    Product    |                        Release                         |
   |---------------+--------------------------------------------------------|
   | Asterisk Open |      1.2.27, 1.4.18.1/1.4.19-rc3, available from       |
   |    Source     |   http://downloads.digium.com/pub/telephony/asterisk   |
   |---------------+--------------------------------------------------------|
   |   Asterisk    |                    B.2.5.1, C.1.6.2                    |
   |   Business    |                                                        |
   |    Edition    |                                                        |
   |---------------+--------------------------------------------------------|
   |  AsteriskNOW  |   1.0.2, available from http://www.asterisknow.org/    |
   |               |                                                        |
   |               |    Current users can update using the system update    |
   |               |        feature in the appliance control panel.         |
   |---------------+--------------------------------------------------------|
   |   Asterisk    | Asterisk 1.4 revision 109393. Available by performing  |
   |   Appliance   |            an svn update of the AADK tree.             |
   | Developer Kit |                                                        |
   |---------------+--------------------------------------------------------|
   |     s800i     |                        1.1.0.2                         |
   |   (Asterisk   |                                                        |
   |  Appliance)   |                                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links         |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-003.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-003.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date       |       Editor        |        Revisions Made         |
   |------------------+---------------------+-------------------------------|
   | 2008-03-18       | Jason Parker        | Initial Release               |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-003
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Prev by Date: Mambo/joomla com_intellect "page" LFI [Aria-Security]
Next by Date: AST-2008-002: Two buffer overflows in RTP Codec Payload Handling
Previous by thread: Mambo/joomla com_intellect "page" LFI [Aria-Security]
Next by thread: AST-2008-002: Two buffer overflows in RTP Codec Payload Handling
Index(es):
- Date
- Thread