Asterisk Project Security Advisory - AST-2007-025
±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | SQL Injection issue in res_config_pgsql |
|----------------------±------------------------------------------------|
| Nature of Advisory | SQL Injection |
|----------------------±------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------±------------------------------------------------|
| Severity | Moderate |
|----------------------±------------------------------------------------|
| Exploits Known | No |
|----------------------±------------------------------------------------|
| Reported On | November 29, 2007 |
|----------------------±------------------------------------------------|
| Reported By | P. Chisteas <p_christ AT hol DOT gr> |
|----------------------±------------------------------------------------|
| Posted On | November 29, 2007 |
|----------------------±------------------------------------------------|
| Last Updated On | November 29, 2007 |
|----------------------±------------------------------------------------|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------±------------------------------------------------|
| CVE Name | |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Description | Input buffers were not properly escaped when providing |
| | lookup data to the Postgres Realtime Engine. An attacker |
| | could potentially compromise the administrative database |
| | containing users' usernames and passwords used for SIP |
| | authentication, among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Workaround | Convert your installation to use res_config_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
------------------------------±------------±-------------------------- |
Asterisk Open Source |
------------------------------±------------±-------------------------- |
Asterisk Open Source |
------------------------------±------------±-------------------------- |
Asterisk Open Source |
------------------------------±------------±-------------------------- |
Asterisk Business Edition |
------------------------------±------------±-------------------------- |
Asterisk Business Edition |
------------------------------±------------±-------------------------- |
AsteriskNOW |
------------------------------±------------±-------------------------- |
Asterisk Appliance Developer |
Kit |
------------------------------±------------±-------------------------- |
s800i (Asterisk Appliance) |
±-----------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
Corrected In |
---|
Product |
------------------------------------------±---------------------------- |
Asterisk Open Source |
------------------------------------------±---------------------------- |
------------------------------------------±---------------------------- |
±-----------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-025.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-025.html |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Revision History |
---|
Date |
-----------------±-----------------------±---------------------------- |
2007-11-29 |
±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2007-025
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.