Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 202733 - net-misc/asterisk <1.2.26 Remote Unauthenticated Sessions (CVE-2007-6430)
Summary: net-misc/asterisk <1.2.26 Remote Unauthenticated Sessions (CVE-2007-6430)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.digium.com/pipermail/ast...
Whiteboard: C3 [glsa]
Keywords:
Depends on: 213883
Blocks:
  Show dependency tree
 
Reported: 2007-12-18 22:51 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2008-04-14 22:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-12-18 22:51:14 UTC
Asterisk Project Security Advisory - AST-2007-027

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Database matching order permits host-based        |
   |                    | authentication to be ignored                      |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Logic error                                       |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | October 30, 2007                                  |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Tilghman Lesher <tlesher AT digium DOT com>       |
   |--------------------+---------------------------------------------------|
   |     Posted On      | December 18, 2007                                 |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | December 18, 2007                                 |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Tilghman Lesher <tlesher AT digium DOT com>       |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2007-6430                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Due to the way database-based registrations ("realtime") |
   |             | are processed, IP addresses are not checked when the     |
   |             | username is correct and there is no password. An         |
   |             | attacker may impersonate any user using host-based       |
   |             | authentication without a secret, simply by guessing the  |
   |             | username of that user. This is limited in scope to       |
   |             | administrators who have set up the registration database |
   |             | ("realtime") for authentication and are using only       |
   |             | host-based authentication, not passwords. However, both  |
   |             | the SIP and IAX protocols are affected.                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | As a workaround, administrators may set a password for    |
   |            | all users and peers in their registration "realtime"      |
   |            | database. A fix is included in the newest release of      |
   |            | Asterisk, as provided below.                              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | All versions prior to       |
   |                            |             | 1.2.26                      |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | All versions prior to       |
   |                            |             | 1.4.16                      |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    A.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    B.x.x    | All versions prior to       |
   |                            |             | B.2.3.6                     |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    C.x.x    | All versions prior to       |
   |                            |             | C.1.0-beta8                 |
   |----------------------------+-------------+-----------------------------|
   |        AsteriskNOW         | pre-release | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |     Asterisk Appliance     |    0.x.x    | Not affected                |
   |       Developer Kit        |             |                             |
   |----------------------------+-------------+-----------------------------|
   | s800i (Asterisk Appliance) |    1.0.x    | Not affected                |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                  |          Release           |
   |-------------------------------------------+----------------------------|
   |           Asterisk Open Source            |           1.2.26           |
   |-------------------------------------------+----------------------------|
   |           Asterisk Open Source            |           1.4.16           |
   |-------------------------------------------+----------------------------|
   |         Asterisk Business Edition         |          B.2.3.6           |
   |-------------------------------------------+----------------------------|
   |         Asterisk Business Edition         |        C.1.0-beta8         |
   |-------------------------------------------+----------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2007-027.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2007-027.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2007-12-18      | Tilghman Lesher        | Initial Release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-027
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-12-18 22:52:38 UTC
From: The Asterisk Development Team <asteriskteam@digium.com>
To: undisclosed-recipients:  ;
Date: Tue, 18 Dec 2007 13:50:10 -0600
Subject: [asterisk-announce] Asterisk 1.4.16 and 1.2.26 released

The Asterisk.org development team has released Asterisk versions 1.4.16 and
1.2.26.  Both releases contain a fix for a security vulnerability.  The 1.4.16
release also contains a number of other bug fixes made over the past few weeks.

The details of the security issue have been published in a security advisory:

http://downloads.digium.com/pub/security/AST-2007-027.pdf

The issue affects users of the dynamic realtime configuration method for IAX2 or SIP that use host based authentication.  Systems that do not use host based
authentication with realtime are not affected.

A full list of changes is available in the ChangeLog, which is distributed with
the release and is also available on the downloads page.

http://downloads.digium.com/pub/telephony/asterisk/ChangeLog-1.4.16

The releases are available for immediate download from http://downloads.digium.com/.

Thank you for your support!
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 20:58:39 UTC
voip please bump.
Comment 3 Vieri 2008-03-04 19:14:25 UTC
How we can pitch in on this:
http://bugs.gentoo.org/show_bug.cgi?id=212306
Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-03-23 08:34:00 UTC
net-misc/asterisk-1.2.27 in cvs.
target keywords are amd64 sparc x86.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-23 11:06:30 UTC
stabling on bug 213883.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-29 20:19:07 UTC
Two YES on bug 213883.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 22:31:57 UTC
GLSA 200804-13