Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213883 - net-misc/asterisk <1.2.27 Remote Unauthenticated Sessions (CVE-2008-1332)
Summary: net-misc/asterisk <1.2.27 Remote Unauthenticated Sessions (CVE-2008-1332)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://downloads.digium.com/pub/secur...
Whiteboard: C3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2007-6170 202733
  Show dependency tree
 
Reported: 2008-03-19 02:28 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2008-04-14 22:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-03-19 02:28:47 UTC
Asterisk Project Security Advisory - AST-2008-003

  +------------------------------------------------------------------------+
  |      Product       | Asterisk                                          |
  |--------------------+---------------------------------------------------|
  |      Summary       | Unauthenticated calls allowed from SIP channel    |
  |                    | driver                                            |
  |--------------------+---------------------------------------------------|
  | Nature of Advisory | Authentication Bypass                             |
  |--------------------+---------------------------------------------------|
  |   Susceptibility   | Remote Unauthenticated Sessions                   |
  |--------------------+---------------------------------------------------|
  |      Severity      | Major                                             |
  |--------------------+---------------------------------------------------|
  |   Exploits Known   | No                                                |
  |--------------------+---------------------------------------------------|
  |    Reported On     | March 12, 2008                                    |
  |--------------------+---------------------------------------------------|
  |    Reported By     | Jason Parker <jparker@digium.com>                 |
  |--------------------+---------------------------------------------------|
  |     Posted On      | March 18, 2008                                    |
  |--------------------+---------------------------------------------------|
  |  Last Updated On   | March 18, 2008                                    |
  |--------------------+---------------------------------------------------|
  |  Advisory Contact  | Jason Parker <jparker@digium.com>                 |
  |--------------------+---------------------------------------------------|
  |      CVE Name      | CVE-2008-1332                                     |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Description | Unauthenticated calls can be made via the SIP channel    |
  |             | driver using an invalid From header. This acts similarly |
  |             | to the SIP configuration option 'allowguest=yes', in     |
  |             | that calls with a specially crafted From header would be |
  |             | sent to the PBX in the context specified in the general  |
  |             | section of sip.conf.                                     |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Resolution | A fix has been added which checks for the option          |
  |            | 'allowguest' to be enabled before determining that        |
  |            | authentication is not required.                           |
  |            |                                                           |
  |            | As a workaround, modify the context in the general        |
  |            | section of sip.conf to point to a non-trusted location    |
  |            | (example: a non-existent context, or a context that does  |
  |            | nothing but hang up the call).                            |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                           Affected Versions                            |
  |------------------------------------------------------------------------|
  |           Product            | Release |                               |
  |                              | Series  |                               |
  |------------------------------+---------+-------------------------------|
  |     Asterisk Open Source     |  1.0.x  | All versions                  |
  |------------------------------+---------+-------------------------------|
  |     Asterisk Open Source     |  1.2.x  | All versions prior to 1.2.27  |
  |------------------------------+---------+-------------------------------|
  |     Asterisk Open Source     |  1.4.x  | All versions prior to         |
  |                              |         | 1.4.18.1 and 1.4.19-rc3       |
  |------------------------------+---------+-------------------------------|
  |  Asterisk Business Edition   |  A.x.x  | All versions                  |
  |------------------------------+---------+-------------------------------|
  |  Asterisk Business Edition   |  B.x.x  | All versions prior to B.2.5.1 |
  |------------------------------+---------+-------------------------------|
  |  Asterisk Business Edition   |  C.x.x  | All versions prior to C.1.6.2 |
  |------------------------------+---------+-------------------------------|
  |         AsteriskNOW          |  1.0.x  | All versions prior to 1.0.2   |
  |------------------------------+---------+-------------------------------|
  | Asterisk Appliance Developer |   SVN   | All versions prior to         |
  |             Kit              |         | Asterisk 1.4 revision 109393  |
  |------------------------------+---------+-------------------------------|
  |  s800i (Asterisk Appliance)  |  1.0.x  | All versions prior to 1.1.0.2 |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                              Corrected In                              |
  |------------------------------------------------------------------------|
  |    Product    |                        Release                         |
  |---------------+--------------------------------------------------------|
  | Asterisk Open |      1.2.27, 1.4.18.1/1.4.19-rc3, available from       |
  |    Source     |   http://downloads.digium.com/pub/telephony/asterisk   |
  |---------------+--------------------------------------------------------|
  |   Asterisk    |                    B.2.5.1, C.1.6.2                    |
  |   Business    |                                                        |
  |    Edition    |                                                        |
  |---------------+--------------------------------------------------------|
  |  AsteriskNOW  |   1.0.2, available from http://www.asterisknow.org/    |
  |               |                                                        |
  |               |    Current users can update using the system update    |
  |               |        feature in the appliance control panel.         |
  |---------------+--------------------------------------------------------|
  |   Asterisk    | Asterisk 1.4 revision 109393. Available by performing  |
  |   Appliance   |            an svn update of the AADK tree.             |
  | Developer Kit |                                                        |
  |---------------+--------------------------------------------------------|
  |     s800i     |                        1.1.0.2                         |
  |   (Asterisk   |                                                        |
  |  Appliance)   |                                                        |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |        Links         |                                                 |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Asterisk Project Security Advisories are posted at                     |
  | http://www.asterisk.org/security                                       |
  |                                                                        |
  | This document may be superseded by later versions; if so, the latest   |
  | version will be posted at                                              |
  | http://downloads.digium.com/pub/security/AST-2008-003.pdf and          |
  | http://downloads.digium.com/pub/security/AST-2008-003.html             |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                            Revision History                            |
  |------------------------------------------------------------------------|
  |       Date       |       Editor        |        Revisions Made         |
  |------------------+---------------------+-------------------------------|
  | 2008-03-18       | Jason Parker        | Initial Release               |
  +------------------------------------------------------------------------+

              Asterisk Project Security Advisory - AST-2008-003
             Copyright (c) 2008 Digium, Inc. All Rights Reserved.
 Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-19 11:28:02 UTC
ebuilds are on bug 200792.

voip, how is the asterisk 1.2 situation with you now? It has been months since any movement. Can we mask this package?
Comment 2 Rambaldi 2008-03-21 17:15:37 UTC
ebuild for asterisk-1.4.18.1 is now available on the voip overlay
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 23:32:15 UTC
voip, is it possible to proxy maintain this package in the 1.4 series? is it a target of your team to keep 1.2 in the tree?
Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-03-23 08:35:27 UTC
net-misc/asterisk-1.2.27 in cvs.
target keywords are amd64 sparc x86.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-23 11:05:31 UTC
Thanks, rajiv.
Arches, do your magic!
Comment 6 Markus Meier gentoo-dev 2008-03-23 22:26:14 UTC
amd64/x86 stable
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-03-25 16:13:10 UTC
Sparc stable.
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2008-03-26 10:21:57 UTC
Fixed in release snapshot.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-03-29 19:40:04 UTC
I'd vote YES for the total of all three bugs.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-29 20:11:06 UTC
Voting YES and filing request.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 22:31:52 UTC
GLSA 200804-13