Asterisk Project Security Advisory - AST-2008-003
ยฑ-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------ยฑ--------------------------------------------------|
| Summary | Unauthenticated calls allowed from SIP channel |
| | driver |
|--------------------ยฑ--------------------------------------------------|
| Nature of Advisory | Authentication Bypass |
|--------------------ยฑ--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------ยฑ--------------------------------------------------|
| Severity | Major |
|--------------------ยฑ--------------------------------------------------|
| Exploits Known | No |
|--------------------ยฑ--------------------------------------------------|
| Reported On | March 12, 2008 |
|--------------------ยฑ--------------------------------------------------|
| Reported By | Jason Parker <[email protected]> |
|--------------------ยฑ--------------------------------------------------|
| Posted On | March 18, 2008 |
|--------------------ยฑ--------------------------------------------------|
| Last Updated On | March 18, 2008 |
|--------------------ยฑ--------------------------------------------------|
| Advisory Contact | Jason Parker <[email protected]> |
|--------------------ยฑ--------------------------------------------------|
| CVE Name | CVE-2008-1332 |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
| Description | Unauthenticated calls can be made via the SIP channel |
| | driver using an invalid From header. This acts similarly |
| | to the SIP configuration option 'allowguest=yes', in |
| | that calls with a specially crafted From header would be |
| | sent to the PBX in the context specified in the general |
| | section of sip.conf. |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
| Resolution | A fix has been added which checks for the option |
| | 'allowguest' to be enabled before determining that |
| | authentication is not required. |
| | |
| | As a workaround, modify the context in the general |
| | section of sip.conf to point to a non-trusted location |
| | (example: a non-existent context, or a context that does |
| | nothing but hang up the call). |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
------------------------------ยฑ--------ยฑ------------------------------ |
Asterisk Open Source |
------------------------------ยฑ--------ยฑ------------------------------ |
Asterisk Open Source |
------------------------------ยฑ--------ยฑ------------------------------ |
Asterisk Open Source |
------------------------------ยฑ--------ยฑ------------------------------ |
Asterisk Business Edition |
------------------------------ยฑ--------ยฑ------------------------------ |
Asterisk Business Edition |
------------------------------ยฑ--------ยฑ------------------------------ |
Asterisk Business Edition |
------------------------------ยฑ--------ยฑ------------------------------ |
AsteriskNOW |
------------------------------ยฑ--------ยฑ------------------------------ |
Asterisk Appliance Developer |
Kit |
------------------------------ยฑ--------ยฑ------------------------------ |
s800i (Asterisk Appliance) |
ยฑ-----------------------------------------------------------------------+ |
ยฑ-----------------------------------------------------------------------+
Corrected In |
---|
Product |
---------------ยฑ------------------------------------------------------- |
Asterisk Open |
Source |
---------------ยฑ------------------------------------------------------- |
Asterisk |
Business |
Edition |
---------------ยฑ------------------------------------------------------- |
AsteriskNOW |
---------------ยฑ------------------------------------------------------- |
Asterisk |
Appliance |
Developer Kit |
---------------ยฑ------------------------------------------------------- |
s800i |
(Asterisk |
Appliance) |
ยฑ-----------------------------------------------------------------------+ |
ยฑ-----------------------------------------------------------------------+
| Links | |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-003.html |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
Revision History |
---|
Date |
------------------ยฑ--------------------ยฑ------------------------------ |
2008-03-18 |
ยฑ-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2008-003
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.