Asterisk Project Security Advisory - Host access rules using permit= and deny= configurations behave unpredictably if the CIDR notation /0 is used. Depending on the system's behavior, this may act as desired, but in other cases it might not, thereby allowing access from hosts that should be denied.
96b5d56898cb42ff746d93184ad1b2cd Asterisk Project Security Advisory - AST-2010-003
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Invalid parsing of ACL rules can compromise |
| | security |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Unauthorized access to system |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | Feb 24, 2010 |
|--------------------+---------------------------------------------------|
| Reported By | Mark Michelson |
|--------------------+---------------------------------------------------|
| Posted On | Feb 25, 2010 |
|--------------------+---------------------------------------------------|
| Last Updated On | February 25, 2010 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------+---------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | Host access rules using "permit=" and "deny=" |
| | configurations behave unpredictably if the CIDR notation |
| | "/0" is used. Depending on the system's behavior, this |
| | may act as desired, but in other cases it might not, |
| | thereby allowing access from hosts that should be |
| | denied. |
| | |
| | Note that even if an unauthorized host is allowed access |
| | due to this exploit, authentication measures still in |
| | place would prevent further unauthorized access. |
| | |
| | Note also that there is a workaround for this problem, |
| | which is to use the dotted-decimal format "/0.0.0.0" |
| | instead of CIDR notation. The bug does not exist when |
| | using this format. In addition, this format is what is |
| | used in Asterisk's sample configuration files. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Code has been corrected to behave consistently on all |
| | systems when "/0" is used. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.x | All 1.6.0, 1.6.1 and 1.6.2 |
| | | releases |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| AsteriskNOW | 1.5 | Unaffected |
|----------------------------+---------+---------------------------------|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.0.25 |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.1.17 |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.2.5 |
+------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| Patches |
|-------------------------------------------------------------------------|
| URL |Branch|
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.0 |
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.1 |
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.2 |
+-------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2010-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2010-003.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+----------------------+-----------------------------|
| Feb 24, 2010 | Mark Michelson | Initial Advisory |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2010-003
Copyright (c) 2010 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!