[VOIPSEC] AST-2007-027 - Database matching order permits host-based authentication to be ignored
Diana Cionoiu
diana-liste at voip.null.ro
Tue Dec 18 15:39:12 CST 2007
Hi,
This is the sweetest bug i've ever saw from Asterisk.
Sweet, sweet, sweet.
Diana
Security Officer wrote:
> Asterisk Project Security Advisory - AST-2007-027
>
> +------------------------------------------------------------------------+
> | Product | Asterisk |
> |--------------------+---------------------------------------------------|
> | Summary | Database matching order permits host-based |
> | | authentication to be ignored |
> |--------------------+---------------------------------------------------|
> | Nature of Advisory | Logic error |
> |--------------------+---------------------------------------------------|
> | Susceptibility | Remote Unauthenticated Sessions |
> |--------------------+---------------------------------------------------|
> | Severity | Moderate |
> |--------------------+---------------------------------------------------|
> | Exploits Known | No |
> |--------------------+---------------------------------------------------|
> | Reported On | October 30, 2007 |
> |--------------------+---------------------------------------------------|
> | Reported By | Tilghman Lesher <tlesher AT digium DOT com> |
> |--------------------+---------------------------------------------------|
> | Posted On | December 18, 2007 |
> |--------------------+---------------------------------------------------|
> | Last Updated On | December 18, 2007 |
> |--------------------+---------------------------------------------------|
> | Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
> |--------------------+---------------------------------------------------|
> | CVE Name | CVE-2007-6430 |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Description | Due to the way database-based registrations ("realtime") |
> | | are processed, IP addresses are not checked when the |
> | | username is correct and there is no password. An |
> | | attacker may impersonate any user using host-based |
> | | authentication without a secret, simply by guessing the |
> | | username of that user. This is limited in scope to |
> | | administrators who have set up the registration database |
> | | ("realtime") for authentication and are using only |
> | | host-based authentication, not passwords. However, both |
> | | the SIP and IAX protocols are affected. |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Resolution | As a workaround, administrators may set a password for |
> | | all users and peers in their registration "realtime" |
> | | database. A fix is included in the newest release of |
> | | Asterisk, as provided below. |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Affected Versions |
> |------------------------------------------------------------------------|
> | Product | Release | |
> | | Series | |
> |----------------------------+-------------+-----------------------------|
> | Asterisk Open Source | 1.0.x | Not affected |
> |----------------------------+-------------+-----------------------------|
> | Asterisk Open Source | 1.2.x | All versions prior to |
> | | | 1.2.26 |
> |----------------------------+-------------+-----------------------------|
> | Asterisk Open Source | 1.4.x | All versions prior to |
> | | | 1.4.16 |
> |----------------------------+-------------+-----------------------------|
> | Asterisk Business Edition | A.x.x | Not affected |
> |----------------------------+-------------+-----------------------------|
> | Asterisk Business Edition | B.x.x | All versions prior to |
> | | | B.2.3.6 |
> |----------------------------+-------------+-----------------------------|
> | Asterisk Business Edition | C.x.x | All versions prior to |
> | | | C.1.0-beta8 |
> |----------------------------+-------------+-----------------------------|
> | AsteriskNOW | pre-release | Not affected |
> |----------------------------+-------------+-----------------------------|
> | Asterisk Appliance | 0.x.x | Not affected |
> | Developer Kit | | |
> |----------------------------+-------------+-----------------------------|
> | s800i (Asterisk Appliance) | 1.0.x | Not affected |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Corrected In |
> |------------------------------------------------------------------------|
> | Product | Release |
> |-------------------------------------------+----------------------------|
> | Asterisk Open Source | 1.2.26 |
> |-------------------------------------------+----------------------------|
> | Asterisk Open Source | 1.4.16 |
> |-------------------------------------------+----------------------------|
> | Asterisk Business Edition | B.2.3.6 |
> |-------------------------------------------+----------------------------|
> | Asterisk Business Edition | C.1.0-beta8 |
> |-------------------------------------------+----------------------------|
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Links | |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Asterisk Project Security Advisories are posted at |
> | http://www.asterisk.org/security |
> | |
> | This document may be superseded by later versions; if so, the latest |
> | version will be posted at |
> | http://downloads.digium.com/pub/security/AST-2007-027.pdf and |
> | http://downloads.digium.com/pub/security/AST-2007-027.html |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Revision History |
> |------------------------------------------------------------------------|
> | Date | Editor | Revisions Made |
> |-----------------+------------------------+-----------------------------|
> | 2007-12-18 | Tilghman Lesher | Initial Release |
> +------------------------------------------------------------------------+
>
> Asterisk Project Security Advisory - AST-2007-027
> Copyright (c) 2007 Digium, Inc. All Rights Reserved.
> Permission is hereby granted to distribute and publish this advisory in its
> original, unaltered form.
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
More information about the Voipsec
mailing list