Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28440
HistorySep 02, 2012 - 12:00 a.m.

AST-2012-013: ACL rules ignored when placing outbound calls by certain IAX2 users

2012-09-0200:00:00
vulners.com
13
JSON
           Asterisk Project Security Advisory - AST-2012-013

     Product        Asterisk                                              
     Summary        ACL rules ignored when placing outbound calls by      
                    certain IAX2 users                                    
Nature of Advisory  Unauthorized use of system                            
  Susceptibility    Remote Authenticated Sessions                         
     Severity       Moderate                                              
  Exploits Known    None                                                  
   Reported On      07/27/2012                                            
   Reported By      Alan Frisch                                           
    Posted On       08/30/2012                                            
 Last Updated On    August 30, 2012                                       
 Advisory Contact   Matt Jordan < mjordan AT digium DOT com >             
     CVE Name       CVE-2012-4737                                         

Description  When an IAX2 call is made using the credentials of a peer    
             defined in a dynamic Asterisk Realtime Architecture (ARA)    
             backend, the ACL rules for that peer are not applied to the  
             call attempt. This allows for a remote attacker who is       
             aware of a peer's credentials to bypass the ACL rules set    
             for that peer.                                               

Resolution  The ACL rules for peers defined in an ARA backend are now     
            honored. Users of chan_iax2 should upgrade to the corrected   
            versions; apply a provided patch; or define their IAX2 peers  
            outside of an ARA backend in a static configuration file.     

                           Affected Versions
            Product                Release Series     
     Asterisk Open Source               1.8.x         All versions        
     Asterisk Open Source               10.x          All versions        
      Certified Asterisk               1.8.11         All versions        
     Asterisk Digiumphones       10.x.x-digiumphones  All versions        
   Asterisk Business Edition            C.3.x         All versions        

                              Corrected In
               Product                              Release               
         Asterisk Open Source                   1.8.15.1, 10.7.1          
          Certified Asterisk                      1.8.11-cert7            
        Asterisk Digiumphones                 10.7.1-digiumphones         
      Asterisk Business Edition                     C.3.7.6               

                                Patches                         
                           SVN URL                              Revision

http://downloads.asterisk.org/pub/security/AST-2012-013.1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2012-013.10.diff Asterisk
10

   Links     https://issues.asterisk.org/jira/browse/ASTERISK-20186       

Asterisk Project Security Advisories are posted at                        
http://www.asterisk.org/security                                          
                                                                          
This document may be superseded by later versions; if so, the latest      
version will be posted at                                                 
http://downloads.digium.com/pub/security/AST-2012-013.pdf and             
http://downloads.digium.com/pub/security/AST-2012-013.html                

                            Revision History
      Date                 Editor                  Revisions Made         
08/27/2012         Matt Jordan              Initial Revision              

           Asterisk Project Security Advisory - AST-2012-013
          Copyright (c) 2012 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Related

nessus 4
debiancve 1
ubuntucve 1
prion 1
cve 1
securityvulns 1
openvas 8
freebsd 1
debian 2
gentoo 1
nessus
nessus
Asterisk Peer IAX2 Call Handling ACL Rule Bypass (AST-2012-013)
2012-09-06 00:00:00
FreeBSD : asterisk -- multiple vulnerabilities (4c53f007-f2ed-11e1-a215-14dae9ebcf89)
2012-08-31 00:00:00
Debian DSA-2550-2 : asterisk - several vulnerabilities
2012-09-19 00:00:00
debiancve
debiancve
CVE-2012-4737
2012-08-31 14:55:00
ubuntucve
ubuntucve
CVE-2012-4737
2012-08-31 00:00:00
prion
prion
Design/Logic Flaw
2012-08-31 14:55:00
cve
cve
CVE-2012-4737
2012-08-31 14:55:00
securityvulns
securityvulns
Asterisk security vulnerabilities
2012-09-02 00:00:00
openvas
openvas
FreeBSD Ports: asterisk
2012-08-30 00:00:00
FreeBSD Ports: asterisk
2012-08-30 00:00:00
Debian Security Advisory DSA 2550-2 (asterisk)
2012-10-03 00:00:00
freebsd
freebsd
asterisk -- multiple vulnerabilities
2012-08-30 00:00:00
debian
debian
[SECURITY] [DSA 2550-2] asterisk regression update
2012-09-26 16:05:00
[SECURITY] [DSA 2550-1] asterisk security update
2012-09-18 17:18:45
gentoo
gentoo
Asterisk: Multiple vulnerabilities
2012-09-26 00:00:00
JSON
Related for SECURITYVULNS:DOC:28440
nessus4debiancve1ubuntucve1prion1cve1securityvulns1openvas8freebsd1debian2gentoo1