Security Advisory: AST-2008-003: Unauthenticated calls allowed from SIP channel driver

[EN] securityvulns.ru
no-pyccku

Related information
  Asterisk multiple security vulnerabilities
  [Full-disclosure] [MU-200803-01] Multiple buffer overflows in Asterisk
  AST-2008-004: Format String Vulnerability in Logger and Manager
  AST-2008-002: Two buffer overflows in RTP Codec Payload Handling
  AST-2008-005: HTTP Manager ID is predictable

From: ASTERISK
Date: 19.03.2008
Subject: AST-2008-003: Unauthenticated calls allowed from SIP channel driver

              Asterisk Project Security Advisory - AST-2008-003

  +------------------------------------------------------------------------+
  |      Product       | Asterisk                                          |
  |--------------------+---------------------------------------------------|
  |      Summary       | Unauthenticated calls allowed from SIP channel    |
  |                    | driver                                            |
  |--------------------+---------------------------------------------------|
  | Nature of Advisory | Authentication Bypass                             |
  |--------------------+---------------------------------------------------|
  |   Susceptibility   | Remote Unauthenticated Sessions                   |
  |--------------------+---------------------------------------------------|
  |      Severity      | Major                                             |
  |--------------------+---------------------------------------------------|
  |   Exploits Known   | No                                                |
  |--------------------+---------------------------------------------------|
  |    Reported On     | March 12, 2008                                    |
  |--------------------+---------------------------------------------------|
  |    Reported By     | Jason Parker <jparker@digium.com>                 |
  |--------------------+---------------------------------------------------|
  |     Posted On      | March 18, 2008                                    |
  |--------------------+---------------------------------------------------|
  | Last Updated On   | March 18, 2008                                    |
  |--------------------+---------------------------------------------------|
  | Advisory Contact | Jason Parker <jparker@digium.com>                 |
  |--------------------+---------------------------------------------------|
  |      CVE Name      | CVE-2008-1332                                     |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Description | Unauthenticated calls can be made via the SIP channel    |
  |             | driver using an invalid From header. This acts similarly |
  |             | to the SIP configuration option 'allowguest=yes', in     |
  |             | that calls with a specially crafted From header would be |
  |             | sent to the PBX in the context specified in the general |
  |             | section of sip.conf.                                     |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Resolution | A fix has been added which checks for the option          |
  |            | 'allowguest' to be enabled before determining that        |
  |            | authentication is not required.                           |
  |            |                                                           |
  |            | As a workaround, modify the context in the general        |
  |            | section of sip.conf to point to a non-trusted location    |
  |            | (example: a non-existent context, or a context that does |
  |            | nothing but hang up the call).                            |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                           Affected Versions                            |
  |------------------------------------------------------------------------|
  |           Product            | Release |                               |
  |                              | Series |                               |
  |------------------------------+---------+-------------------------------|
  |     Asterisk Open Source     | 1.0.x | All versions                  |
  |------------------------------+---------+-------------------------------|
  |     Asterisk Open Source     | 1.2.x | All versions prior to 1.2.27 |
  |------------------------------+---------+-------------------------------|
  |     Asterisk Open Source     | 1.4.x | All versions prior to         |
  |                              |         | 1.4.18.1 and 1.4.19-rc3       |
  |------------------------------+---------+-------------------------------|
  | Asterisk Business Edition   | A.x.x | All versions                  |
  |------------------------------+---------+-------------------------------|
  | Asterisk Business Edition   | B.x.x | All versions prior to B.2.5.1 |
  |------------------------------+---------+-------------------------------|
  | Asterisk Business Edition   | C.x.x | All versions prior to C.1.6.2 |
  |------------------------------+---------+-------------------------------|
  |         AsteriskNOW          | 1.0.x | All versions prior to 1.0.2   |
  |------------------------------+---------+-------------------------------|
  | Asterisk Appliance Developer |   SVN   | All versions prior to         |
  |             Kit              |         | Asterisk 1.4 revision 109393 |
  |------------------------------+---------+-------------------------------|
  | s800i (Asterisk Appliance) | 1.0.x | All versions prior to 1.1.0.2 |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                              Corrected In                              |
  |------------------------------------------------------------------------|
  |    Product    |                        Release                         |
  |---------------+--------------------------------------------------------|
  | Asterisk Open |      1.2.27, 1.4.18.1/1.4.19-rc3, available from       |
  |    Source     |   http://downloads.digium.com/pub/telephony/asterisk   |
  |---------------+--------------------------------------------------------|
  |   Asterisk    |                    B.2.5.1, C.1.6.2                    |
  |   Business    |                                                        |
  |    Edition    |                                                        |
  |---------------+--------------------------------------------------------|
  | AsteriskNOW |   1.0.2, available from http://www.asterisknow.org/    |
  |               |                                                        |
  |               |    Current users can update using the system update    |
  |               |        feature in the appliance control panel.         |
  |---------------+--------------------------------------------------------|
  |   Asterisk    | Asterisk 1.4 revision 109393. Available by performing |
  |   Appliance   |            an svn update of the AADK tree.             |
  | Developer Kit |                                                        |
  |---------------+--------------------------------------------------------|
  |     s800i     |                        1.1.0.2                         |
  |   (Asterisk   |                                                        |
  | Appliance)   |                                                        |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |        Links         |                                                 |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Asterisk Project Security Advisories are posted at                     |
  | http://www.asterisk.org/security                                       |
  |                                                                        |
  | This document may be superseded by later versions; if so, the latest   |
  | version will be posted at                                              |
  | http://downloads.digium.com/pub/security/AST-2008-003.pdf and          |
  | http://downloads.digium.com/pub/security/AST-2008-003.html             |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                            Revision History                            |
  |------------------------------------------------------------------------|
  |       Date       |       Editor        |        Revisions Made         |
  |------------------+---------------------+-------------------------------|
  | 2008-03-18       | Jason Parker        | Initial Release               |
  +------------------------------------------------------------------------+

              Asterisk Project Security Advisory - AST-2008-003
             Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.

test server