Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 237476 (CVE-2008-3903) - <net-misc/asterisk-1.2.32: SIP username disclosure (CVE-2008-3903)
Summary: <net-misc/asterisk-1.2.32: SIP username disclosure (CVE-2008-3903)
Status: RESOLVED FIXED
Alias: CVE-2008-3903
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://downloads.digium.com/pub/secur...
Whiteboard: B4 [glsa]
Keywords:
: 264677 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-09-12 13:45 UTC by Robert Buchholz (RETIRED)
Modified: 2009-05-02 17:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 13:45:48 UTC
CVE-2008-3903 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3903):
  Asterisk PBX 1.2 through 1.6 and Trixbox PBX 2.6.1, when running with
  Digest authentication and authalwaysreject enabled, generates
  different responses depending on whether or not a SIP username is
  valid, which allows remote attackers to enumerate valid usernames.
Comment 1 Kerin Millar 2009-02-23 05:52:36 UTC
The manner in which this bug should be resolved is far from clear. I could find no mention of vulnerability upstream so I enquired in the #asterisk-dev channel as follows:

"I am not sure what to do with it as I'm having difficulty in determining whether it was filed/discussed and, if it was, whether it was deemed to be a valid bug in asterisk or simply a deficiency in the SIP protocol. could anyone shed some light on that?"

Someone eventually responded, stating that it was a deficiency in the SIP protocol and expressing irritation that the "vulnerability" had not been referred to security@asterisk.org. Further questions on the matter did not elicit a response.

Now, looking at the sample sip.conf file in asterisk, the effect of the alwaysauthreject option is explained as thus:

"When an incoming INVITE or REGISTER is to be rejected, for any reason, always reject with '401 Unauthorized' instead of letting the requester know whether there was a matching user or peer for their request"

However, the author of the advisory is claiming that, even where the alwaysauthreject option is enabled, an INVITE/SUBSCRIBE/REGISTER operation involving a correct username combined with an incorrect password results in a "SIP/2.0 403 Forbidden (Bad auth)" response.

If that is the case - and remains the case in the latest tagged releases of asterisk - then I am personally inclined to agree that this is indeed a bona fide vulnerability. Ergo, should the user activate the alwaysauthreject option, there should be no circumstance that arises where a 403 response may be issued (precisely as the documentation suggests).

I would suggest that we perform some independent testing to verify the validity of the advisory as it currently stands with respect to the current releases: 1.2.31.1, 1.4.23.1 and 1.6.0.5. Then, depending on the outcome:

a) Refer to upstream through the approved channels (if valid)
b) Close this bug as INVALID
Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-03-12 03:36:54 UTC
+*asterisk-1.2.31.1 (11 Mar 2009)
+
+  11 Mar 2009; <chainsaw@gentoo.org>
+  +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff,
+  +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff,
+  +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild:
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-12 16:07:43 UTC
Mailed upstream to get a statement.
Comment 4 Kerin Millar 2009-03-18 23:38:14 UTC
Rajiv, as far as I'm aware, all versions of asterisk remain affected. Therefore, that commit doesn't change anything; this isn't one of the many security bugs that are otherwise resolved :)

At any rate, I have personally confirmed that the defect applies to 1.4.23.1.

Alex, did you hear back from upstream yet?
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-18 23:45:47 UTC
(In reply to comment #4)
> Alex, did you hear back from upstream yet?
> 

Yes, I did. They were not aware of this issue yet, but: "We'll look at resolving this issue ourselves with an upcoming advisory."
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-02 19:35:34 UTC
*** Bug 264677 has been marked as a duplicate of this bug. ***
Comment 7 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-04-02 19:42:38 UTC
http://lists.digium.com/pipermail/asterisk-announce/2009-April/000177.html

               Asterisk Project Security Advisory - AST-2009-003

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | SIP responses expose valid usernames              |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Information leak                                  |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Minor                                             |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | February 23, 2009                                 |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Gentoo Linux Project: Kerin Millar ( kerframil on |
   |                    | irc.freenode.net ) and Fergal Glynn < FGlynn AT   |
   |                    | veracode DOT com >                                |
   |--------------------+---------------------------------------------------|
   |     Posted On      | April 2, 2009                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | April 2, 2009                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Tilghman Lesher < tlesher AT digium DOT com >     |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2008-3903                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | In 2006, the Asterisk maintainers made it more difficult |
   |             | to scan for valid SIP usernames by implementing an       |
   |             | option called "alwaysauthreject", which should return a  |
   |             | 401 error on all replies which are generated for users   |
   |             | which do not exist. While this was sufficient at the     |
   |             | time, due to ever increasing compliance with RFC 3261,   |
   |             | the SIP specification, that is no longer sufficient as a |
   |             | means towards preventing attackers from checking         |
   |             | responses to verify whether a SIP account exists on a    |
   |             | machine.                                                 |
   |             |                                                          |
   |             | What we have done is to carefully emulate exactly the    |
   |             | same responses throughout possible dialogs, which should |
   |             | prevent attackers from gleaning this information. All    |
   |             | invalid users, if this option is turned on, will receive |
   |             | the same response throughout the dialog, as if a         |
   |             | username was valid, but the password was incorrect.      |
   |             |                                                          |
   |             | It is important to note several things. First, this      |
   |             | vulnerability is derived directly from the SIP           |
   |             | specification, and it is a technical violation of RFC    |
   |             | 3261 (and subsequent RFCs, as of this date), for us to   |
   |             | return these responses. Second, this attack is made much |
   |             | more difficult if administrators avoided creating        |
   |             | all-numeric usernames and especially all-numeric         |
   |             | passwords. This combination is extremely vulnerable for  |
   |             | servers connected to the public Internet, even with this |
   |             | patch in place. While it may make configuring SIP        |
   |             | telephones easier in the short term, it has the          |
   |             | potential to cause grief over the long term.             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to one of the versions below, or apply one of the |
   |            | patches specified in the Patches section.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |  Release   |                              |
   |                            |   Series   |                              |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.2.x    | All versions prior to 1.2.32 |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.4.x    | All versions prior to        |
   |                            |            | 1.4.24.1                     |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |  1.6.0.x   | All versions prior to        |
   |                            |            | 1.6.0.8                      |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.2.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.4.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.6.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   A.x.x    | All versions                 |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   B.x.x    | All versions prior to        |
   |                            |            | B.2.5.8                      |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |  C.1.x.x   | All versions prior to        |
   |                            |            | C.1.10.5                     |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |  C.2.x.x   | All versions prior to        |
   |                            |            | C.2.3.3                      |
   |----------------------------+------------+------------------------------|
   |        AsteriskNOW         |    1.5     | Not affected                 |
   |----------------------------+------------+------------------------------|
   | s800i (Asterisk Appliance) |   1.3.x    | All versions prior to        |
   |                            |            | 1.3.0.2                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.32          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.24.1         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.0.8          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.8          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.1.10.5         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.3.3          |
   |---------------------------------------------+--------------------------|
   |         s800i (Asterisk Appliance)          |         1.3.0.2          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                           Patch URL                            |Version|
   |----------------------------------------------------------------+-------|
   |http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt   |  1.2  |
   |----------------------------------------------------------------+-------|
   |http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt   |  1.4  |
   |----------------------------------------------------------------+-------|
   |http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt | 1.6.0 |
   |----------------------------------------------------------------+-------|
   |http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt | 1.6.1 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |       Links        | http://www.faqs.org/rfcs/rfc3261.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-003.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-003.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2009-04-02      | Tilghman Lesher        | Initial release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-003
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-02 19:44:43 UTC
See above.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-04-03 15:17:38 UTC
Arches, please test and mark stable:
=net-misc/asterisk-1.2.32
Target keywords : "alpha amd64 ppc sparc x86"
Comment 10 Markus Meier gentoo-dev 2009-04-04 13:41:53 UTC
amd64/x86 stable
Comment 11 Tobias Klausmann gentoo-dev 2009-04-05 10:35:48 UTC
Compiling with USE=-postgres doesn't work:

alpha-unknown-linux-gnu-gcc -mieee -pipe -O2 -mcpu=ev67  -pipe  -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations  -Iinclude -I../include -D_REENTRANT -D_GNU_SOURCE  -mieee -pipe -O2 -mcpu=ev67        -DLOW_MEMORY -fomit-frame-pointer  -fPIC -I/usr/include/postgresql   -c -o cdr_pgsql.o cdr_pgsql.c
cdr_pgsql.c:43:22: error: libpq-fe.h: No such file or directory
cdr_pgsql.c:43:22: error: libpq-fe.h: No such file or directory                 
cdr_pgsql.c:67: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token                                                                        
cdr_pgsql.c:68: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token                                                                        
cdr_pgsql.c: In function 'pgsql_log':                                           
cdr_pgsql.c:83: error: 'conn' undeclared (first use in this function)           
cdr_pgsql.c:83: error: (Each undeclared identifier is reported only once        
cdr_pgsql.c:83: error: for each function it appears in.)                        

With USE=postgres, everything compiles and the package works. Holding off stabilization for now. If you think the security problem warrants this breakage, please say so, I'm kinda on the fence in this case.

Comment 12 Tobias Klausmann gentoo-dev 2009-04-05 10:49:20 UTC
emerge --info
Portage 2.1.6.11 (default/linux/alpha/2008.0, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.29 alpha)
=================================================================
System uname: Linux-2.6.29-alpha-EV68AL-with-glibc2.0
Timestamp of tree: Sat, 04 Apr 2009 17:45:01 +0000
distcc 3.1 alpha-unknown-linux-gnu [enabled]
app-shells/bash:     4.0_p10-r1
dev-lang/python:     2.4.4-r15, 2.5.4-r2
dev-util/cmake:      2.6.3
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.4.3-r1
sys-apps/sandbox:    1.7
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.19.1-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.28-r1
ACCEPT_KEYWORDS="alpha ~alpha"
CBUILD="alpha-unknown-linux-gnu"
CFLAGS="-mieee -pipe -O2 -mcpu=ev67"
CHOST="alpha-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev67"
DISTDIR="/usr/portage/distfiles"
FEATURES="distcc distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans usepkg userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.tiscali.nl/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync5.de.gentoo.org/gentoo-portage"
USE="X acl alpha alsa apache2 audiofile bash-completion berkdb bzip2 calendar cdparanoia cdr cli cracklib crypt dio dri encode ethereal exif ffmpeg fftw firefox flac fortran ftp gdbm gpm iconv imlib2 isdnlog jpeg kdeenablefinal libcaca lua mad matroska midi mmap mng moznocompose moznoirc moznomail mozsvg mpeg mudflap ncurses network-cron nls nptl nptlonly offensive ogg openmp pam pcre pdflib perl png pnm ppds pppd python rar readline recode reflection session sharedmem sockets sox spl ssl svg sysfs szip tcpd tetex theora truetype unicode usb v4l v4l2 vcd vidix vim vim-pager vlm vorbis xcb xorg xosd xpm xvid zlib" ALSA_CARDS="ali5451 als4000 bt87x ca0106 cmipci emu10k1 ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 maestro3 trident usb-audio via82xx ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="vga glint mga nvidia vesa r128 "
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-04-05 14:04:01 UTC
ppc done.  I did not hit the postgres problem however.
Comment 14 Brent Baude (RETIRED) gentoo-dev 2009-04-05 14:19:40 UTC
ppc done
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-19 20:42:06 UTC
(In reply to comment #11)
> Compiling with USE=-postgres doesn't work:
> [...]                   
> With USE=postgres, everything compiles and the package works. Holding off
> stabilization for now. If you think the security problem warrants this
> breakage, please say so, I'm kinda on the fence in this case.
> 

voip, please advise.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-04-21 18:38:33 UTC
alpha/sparc stable, as it works fine for me
Comment 17 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-01 16:10:56 UTC
Now that armin resolved alpha, all arches are done.
GLSA together with the other asterisk stuff.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:33 UTC
GLSA 200905-01