5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.002 Low
EPSS
Percentile
57.3%
According to its SIP banner, the version of Asterisk running on the remote host is 11.x prior to 11.25.1, 13.x prior to 13.13.1, 14.x prior to 14.2.1, 11.6 prior to 11.6-cert16, or 13.8 prior to 13.8-cert4. Is it, therefore, affected by an authentication bypass vulnerability in the chan_sip channel driver when handling the content between the SIP header name and a colon character due to incorrect stripping of non-printable ASCII characters. An unauthenticated, remote attacker can exploit this issue, via a specially crafted combination of valid and invalid ‘To’ headers, to cause a proxy to allow an INVITE request into Asterisk without authentication. This is because, in situations where Asterisk is placed in tandem with an authenticating SIP proxy, the proxy will treats the request as an in-dialog request; however, due to this issue, the request will appear to be an out-of-dialog request to Asterisk, which will then be processed as a new call, thus allowing calls from unauthenticated sources.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(95927);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2016-9938");
script_bugtraq_id(94789);
script_name(english:"Asterisk SIP Channel Authentication Bypass (AST-2016-009)");
script_set_attribute(attribute:"synopsis", value:
"A telephony application running on the remote host is affected by an
authentication bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its SIP banner, the version of Asterisk running on the
remote host is 11.x prior to 11.25.1, 13.x prior to 13.13.1, 14.x
prior to 14.2.1, 11.6 prior to 11.6-cert16, or 13.8 prior to
13.8-cert4. Is it, therefore, affected by an authentication bypass
vulnerability in the chan_sip channel driver when handling the content
between the SIP header name and a colon character due to incorrect
stripping of non-printable ASCII characters. An unauthenticated,
remote attacker can exploit this issue, via a specially crafted
combination of valid and invalid 'To' headers, to cause a proxy to
allow an INVITE request into Asterisk without authentication. This is
because, in situations where Asterisk is placed in tandem with an
authenticating SIP proxy, the proxy will treats the request as an
in-dialog request; however, due to this issue, the request will appear
to be an out-of-dialog request to Asterisk, which will then be
processed as a new call, thus allowing calls from unauthenticated
sources.
Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2016-009.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to Asterisk version 11.25.1 / 13.13.1 / 14.2.1 / 11.6-cert16 /
13.8-cert4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9938");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/08");
script_set_attribute(attribute:"patch_publication_date", value:"2016/12/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/19");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("asterisk_detection.nasl");
script_require_keys("asterisk/sip_detected", "Settings/ParanoidReport");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
get_kb_item_or_exit("asterisk/sip_detected");
asterisk_kbs = get_kb_list_or_exit("sip/asterisk/*/version");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
is_vuln = FALSE;
not_vuln_installs = make_list();
errors = make_list();
foreach kb_name (keys(asterisk_kbs))
{
vulnerable = 0;
matches = eregmatch(pattern:"/(udp|tcp)/([0-9]+)/version", string:kb_name);
if (isnull(matches))
{
errors = make_list(errors, "Unexpected error parsing port number from '"+kb_name+"'.");
continue;
}
proto = matches[1];
port = matches[2];
version = asterisk_kbs[kb_name];
if (version == 'unknown')
{
errors = make_list(errors, "Unable to obtain version of install on " + proto + "/" + port + ".");
continue;
}
banner = get_kb_item("sip/asterisk/" + proto + "/" + port + "/source");
if (!banner)
{
# We have version but banner is missing;
# log error and use in version-check though.
errors = make_list(errors, "KB item 'sip/asterisk/" + proto + "/" + port + "/source' is missing.");
banner = 'unknown';
}
if (version =~ "^11([^0-9]|$)" && "cert" >!< tolower(version))
{
fixed = "11.25.1";;
vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
}
else if (version =~ "^13([^0-9])" && "cert" >!< tolower(version))
{
fixed = "13.13.1";
vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
}
else if (version =~ "^14([^0-9])" && "cert" >!< tolower(version))
{
fixed = "14.2.1";
vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
}
else if (version =~ "^11([^0-9])" && "cert" >< tolower(version))
{
fixed = "11.6-cert16";
vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
}
else if (version =~ "^13\.8([^0-9])" && "cert" >< tolower(version))
{
fixed = "13.8-cert4";
vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
}
if (vulnerable < 0)
{
is_vuln = TRUE;
report =
'\n Version source : ' + banner +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed +
'\n';
security_report_v4(severity:SECURITY_WARNING, port:port, proto:proto, extra:report);
}
else not_vuln_installs = make_list(not_vuln_installs, version + " on port " + proto + "/" + port);
}
if (max_index(errors))
{
if (max_index(errors) == 1) errmsg = errors[0];
else errmsg = 'Errors were encountered verifying installations : \n ' + join(errors, sep:'\n ');
exit(1, errmsg);
}
else
{
installs = max_index(not_vuln_installs);
if (installs == 0)
{
if (is_vuln) exit(0);
else audit(AUDIT_NOT_INST, "Asterisk");
}
else audit(AUDIT_INST_VER_NOT_VULN, "Asterisk", not_vuln_installs);
}
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.002 Low
EPSS
Percentile
57.3%