"Write=originate, is sufficient permissions for code execution / System() dialplan" Essentially, under certain conditions it's possible to abuse an AMI connection to escalate AMI permissions and effectively take control of the remote asterisk instance. Reproducible: Always
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a317bb44bf4e248c4f90c40aca888f25baa868ed commit a317bb44bf4e248c4f90c40aca888f25baa868ed Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-08-12 12:51:46 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-08-13 07:36:27 +0000 net-misc/asterisk: drop 18.24.1, 20.6.0, 20.9.1, 21.1.0, 21.4.1 Remove ~ security affected versions. https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44 Security stable to follow pending removal of current stables. Bug: https://bugs.gentoo.org/937844 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/38114 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 5 - net-misc/asterisk/asterisk-18.24.1.ebuild | 371 ------------------------------ net-misc/asterisk/asterisk-20.6.0.ebuild | 357 ---------------------------- net-misc/asterisk/asterisk-20.9.1.ebuild | 367 ----------------------------- net-misc/asterisk/asterisk-21.1.0.ebuild | 344 --------------------------- net-misc/asterisk/asterisk-21.4.1.ebuild | 354 ---------------------------- 6 files changed, 1798 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4491bd30732335ccba6ab430cbfad7a64babc229 commit 4491bd30732335ccba6ab430cbfad7a64babc229 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-08-12 12:50:25 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-08-13 07:36:27 +0000 net-misc/asterisk: add 21.4.2 Bug: https://bugs.gentoo.org/937844 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-21.4.2.ebuild | 354 +++++++++++++++++++++++++++++++ 2 files changed, 355 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dca76fc9db69976e59d32290f4877e68031fd3e5 commit dca76fc9db69976e59d32290f4877e68031fd3e5 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-08-12 12:46:53 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-08-13 07:36:26 +0000 net-misc/asterisk: add 20.9.2 Bug: https://bugs.gentoo.org/937844 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-20.9.2.ebuild | 367 +++++++++++++++++++++++++++++++ 2 files changed, 368 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d794c6284f67e864f10078b59fa132bda0de757 commit 1d794c6284f67e864f10078b59fa132bda0de757 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-08-12 12:44:50 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-08-13 07:36:26 +0000 net-misc/asterisk: add 18.24.2 Bug: https://bugs.gentoo.org/937844 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-18.24.2.ebuild | 371 ++++++++++++++++++++++++++++++ 2 files changed, 372 insertions(+)
Security fix back-ported for asterisk 16: https://github.com/gentoo/gentoo/pull/38129 We need to include that in the stable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de4e9bccfe1cce7643756077e100100ef41f7ddb commit de4e9bccfe1cce7643756077e100100ef41f7ddb Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-08-13 09:45:57 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-08-13 16:57:45 +0000 net-misc/asterisk: back-port security fix for 16.30.1 Bug: https://bugs.gentoo.org/937844 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/38129 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/asterisk-16.30.1-r3.ebuild | 361 +++++++++++++++++++++ ...ager.c-Add-entries-to-Originate-blacklist.patch | 205 ++++++++++++ 2 files changed, 566 insertions(+)
(In reply to Jaco Kroon from comment #0) > Essentially, under certain conditions it's possible to abuse an AMI > connection to escalate AMI permissions and effectively take control of the > remote asterisk instance. I'm trying to determine the correct severity for this. Does this mean that anyone could take control, or is some kind of prior access (e.g. an account) required? With B0 I've currently assumed the former.
(In reply to Hans de Graaff from comment #4) > (In reply to Jaco Kroon from comment #0) > > > Essentially, under certain conditions it's possible to abuse an AMI > > connection to escalate AMI permissions and effectively take control of the > > remote asterisk instance. > > I'm trying to determine the correct severity for this. Does this mean that > anyone could take control, or is some kind of prior access (e.g. an account) > required? With B0 I've currently assumed the former. Prior access to AMI is required, it's a convoluted attack IMHO. That said, more and more pressure are put on providers to expose some level of access to AMI for clients. IMHO I would probably not even issue a GLSA if it was up to me, but I would stable the new versions and purge old ones just for safety sake. That said, now that this is in the public domain ... There are also a bunch of existing security bugs for asterisk open from historic reports, none of those affected versions are still in-tree, and in fact, I already patched 16.X again after the security patch broke call handling for IAX/2 (my patch was accepted into 18.X and newer). Specifically I would suggest we stable: 16.30.1-r3 18.24.2 I'm not sure how much asterisk 20 brings to the table compared to 20, but have run into problems with it in the past, I just can't remember the details and haven't had the capacity to sit down and really go through everything there in detail. That said, we can consider also stabling 20.9.2. Just scanning the "major changes again" I think res_monitor got broken for us, and I still need to code up a replacement (MixMonitor is NOT a viable or realistic replacement in some scenarios). Anyway, will deploy this to one of our less loaded hosts and see if something crops up and then push a seperate stable request for that. 21.X is considered development, and it's only in tree because it was requested. Then remove: 16.30.1-r1 16.30.1-r2 18.21.0
(In reply to Jaco Kroon from comment #5) > Prior access to AMI is required, it's a convoluted attack IMHO. That said, > more and more pressure are put on providers to expose some level of access > to AMI for clients. I've updated the classification accordingly. > IMHO I would probably not even issue a GLSA if it was up to me, but I would > stable the new versions and purge old ones just for safety sake. That said, > now that this is in the public domain ... Privilege escalation always has a "high" severity in our classification, so a GLSA will be issued for this. > There are also a bunch of existing security bugs for asterisk open from > historic reports, none of those affected versions are still in-tree, and in > fact, I already patched 16.X again after the security patch broke call > handling for IAX/2 (my patch was accepted into 18.X and newer). I've updated existing bugs were needed. Most of these are lower severity and we are behind on issues GLSAs for these. We can bundle them al together with the GLSA for this issue. I'll leave stabling/cleanup up to you, you know best to balance urgency of the security issue with availability and risk of breaking things.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87f0a98c9ce18601575cfa22ff03b67618dd561d commit 87f0a98c9ce18601575cfa22ff03b67618dd561d Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-08-16 08:13:27 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-08-18 17:33:18 +0000 net-misc/asterisk: drop 16.30.1-r1, 16.30.1-r2, 18.21.0 Security affected. Bug: https://bugs.gentoo.org/937844 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> net-misc/asterisk/Manifest | 1 - net-misc/asterisk/asterisk-16.30.1-r1.ebuild | 365 --------------------------- net-misc/asterisk/asterisk-16.30.1-r2.ebuild | 360 -------------------------- net-misc/asterisk/asterisk-18.21.0.ebuild | 362 -------------------------- 4 files changed, 1088 deletions(-)
I believe this is now entirely in the hands of the security team and nothing more from my side that I can help with or that's required?
Now that cleanup is done, that should be everything from the maintainer side, yes.
