Asterisk Project Security Advisory - A missing ACL check for handling SIP INVITEs allows a device to make calls on networks intended to be prohibited as defined by the "deny" and "permit" lines in sip.conf. The ACL check for handling SIP registrations was not affected.
a028170ecb278eb6b1813a2f959521f86bee010953bfc98dd29af7dda75eda1c
Asterisk Project Security Advisory - AST-2009-007
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | ACL not respected on SIP INVITE |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Unauthorized calls allowed on prohibited networks |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote unauthorized session |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | October 18, 2009 |
|--------------------+---------------------------------------------------|
| Reported By | Thomas Athineou <thom_winkler AT web DOT de> |
|--------------------+---------------------------------------------------|
| Posted On | October 26, 2009 |
|--------------------+---------------------------------------------------|
| Last Updated On | October 26, 2009 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Jeff Peeler <jpeeler AT digium DOT com> |
|--------------------+---------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | A missing ACL check for handling SIP INVITEs allows a |
| | device to make calls on networks intended to be |
| | prohibited as defined by the "deny" and "permit" lines |
| | in sip.conf. The ACL check for handling SIP |
| | registrations was not affected. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Users should upgrade to a version listed in the |
| | "Corrected In" section below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | C.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| AsteriskNOW | 1.5 | Unaffected |
|-------------------------------+----------------+-----------------------|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Open Source Asterisk 1.6.1 | 1.6.1.8 |
+------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
| Patches |
|----------------------------------------------------------------------------|
| SVN URL |Version|
|--------------------------------------------------------------------+-------|
|https://downloads.digium.com/pub/security/AST-2009-007-1.6.1.diff.txt| 1.6.1 |
+----------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| https://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| https://downloads.digium.com/pub/security/AST-2009-007.pdf and |
| https://downloads.digium.com/pub/security/AST-2009-007.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|------------------------+------------------+----------------------------|
| October 26, 2009 | Jeff Peeler | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2009-007
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.