CVE-2008-3903 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3903): Asterisk PBX 1.2 through 1.6 and Trixbox PBX 2.6.1, when running with Digest authentication and authalwaysreject enabled, generates different responses depending on whether or not a SIP username is valid, which allows remote attackers to enumerate valid usernames.
The manner in which this bug should be resolved is far from clear. I could find no mention of vulnerability upstream so I enquired in the #asterisk-dev channel as follows: "I am not sure what to do with it as I'm having difficulty in determining whether it was filed/discussed and, if it was, whether it was deemed to be a valid bug in asterisk or simply a deficiency in the SIP protocol. could anyone shed some light on that?" Someone eventually responded, stating that it was a deficiency in the SIP protocol and expressing irritation that the "vulnerability" had not been referred to security@asterisk.org. Further questions on the matter did not elicit a response. Now, looking at the sample sip.conf file in asterisk, the effect of the alwaysauthreject option is explained as thus: "When an incoming INVITE or REGISTER is to be rejected, for any reason, always reject with '401 Unauthorized' instead of letting the requester know whether there was a matching user or peer for their request" However, the author of the advisory is claiming that, even where the alwaysauthreject option is enabled, an INVITE/SUBSCRIBE/REGISTER operation involving a correct username combined with an incorrect password results in a "SIP/2.0 403 Forbidden (Bad auth)" response. If that is the case - and remains the case in the latest tagged releases of asterisk - then I am personally inclined to agree that this is indeed a bona fide vulnerability. Ergo, should the user activate the alwaysauthreject option, there should be no circumstance that arises where a 403 response may be issued (precisely as the documentation suggests). I would suggest that we perform some independent testing to verify the validity of the advisory as it currently stands with respect to the current releases: 1.2.31.1, 1.4.23.1 and 1.6.0.5. Then, depending on the outcome: a) Refer to upstream through the approved channels (if valid) b) Close this bug as INVALID
+*asterisk-1.2.31.1 (11 Mar 2009) + + 11 Mar 2009; <chainsaw@gentoo.org> + +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff, + +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff, + +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild: + Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix + that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in + open call, a comma is not a pipe sign. Used EAPI 2 for USE-based + dependencies instead of calling die. Patch from Mounir Lamouri adding + -lspeexdsp closes bug #206463 filed by John Read.
Mailed upstream to get a statement.
Rajiv, as far as I'm aware, all versions of asterisk remain affected. Therefore, that commit doesn't change anything; this isn't one of the many security bugs that are otherwise resolved :) At any rate, I have personally confirmed that the defect applies to 1.4.23.1. Alex, did you hear back from upstream yet?
(In reply to comment #4) > Alex, did you hear back from upstream yet? > Yes, I did. They were not aware of this issue yet, but: "We'll look at resolving this issue ourselves with an upcoming advisory."
*** Bug 264677 has been marked as a duplicate of this bug. ***
http://lists.digium.com/pipermail/asterisk-announce/2009-April/000177.html Asterisk Project Security Advisory - AST-2009-003 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | SIP responses expose valid usernames | |--------------------+---------------------------------------------------| | Nature of Advisory | Information leak | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Minor | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | February 23, 2009 | |--------------------+---------------------------------------------------| | Reported By | Gentoo Linux Project: Kerin Millar ( kerframil on | | | irc.freenode.net ) and Fergal Glynn < FGlynn AT | | | veracode DOT com > | |--------------------+---------------------------------------------------| | Posted On | April 2, 2009 | |--------------------+---------------------------------------------------| | Last Updated On | April 2, 2009 | |--------------------+---------------------------------------------------| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |--------------------+---------------------------------------------------| | CVE Name | CVE-2008-3903 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | In 2006, the Asterisk maintainers made it more difficult | | | to scan for valid SIP usernames by implementing an | | | option called "alwaysauthreject", which should return a | | | 401 error on all replies which are generated for users | | | which do not exist. While this was sufficient at the | | | time, due to ever increasing compliance with RFC 3261, | | | the SIP specification, that is no longer sufficient as a | | | means towards preventing attackers from checking | | | responses to verify whether a SIP account exists on a | | | machine. | | | | | | What we have done is to carefully emulate exactly the | | | same responses throughout possible dialogs, which should | | | prevent attackers from gleaning this information. All | | | invalid users, if this option is turned on, will receive | | | the same response throughout the dialog, as if a | | | username was valid, but the password was incorrect. | | | | | | It is important to note several things. First, this | | | vulnerability is derived directly from the SIP | | | specification, and it is a technical violation of RFC | | | 3261 (and subsequent RFCs, as of this date), for us to | | | return these responses. Second, this attack is made much | | | more difficult if administrators avoided creating | | | all-numeric usernames and especially all-numeric | | | passwords. This combination is extremely vulnerable for | | | servers connected to the public Internet, even with this | | | patch in place. While it may make configuring SIP | | | telephones easier in the short term, it has the | | | potential to cause grief over the long term. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to one of the versions below, or apply one of the | | | patches specified in the Patches section. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------+------------+------------------------------| | Asterisk Open Source | 1.2.x | All versions prior to 1.2.32 | |----------------------------+------------+------------------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.24.1 | |----------------------------+------------+------------------------------| | Asterisk Open Source | 1.6.0.x | All versions prior to | | | | 1.6.0.8 | |----------------------------+------------+------------------------------| | Asterisk Addons | 1.2.x | Not affected | |----------------------------+------------+------------------------------| | Asterisk Addons | 1.4.x | Not affected | |----------------------------+------------+------------------------------| | Asterisk Addons | 1.6.x | Not affected | |----------------------------+------------+------------------------------| | Asterisk Business Edition | A.x.x | All versions | |----------------------------+------------+------------------------------| | Asterisk Business Edition | B.x.x | All versions prior to | | | | B.2.5.8 | |----------------------------+------------+------------------------------| | Asterisk Business Edition | C.1.x.x | All versions prior to | | | | C.1.10.5 | |----------------------------+------------+------------------------------| | Asterisk Business Edition | C.2.x.x | All versions prior to | | | | C.2.3.3 | |----------------------------+------------+------------------------------| | AsteriskNOW | 1.5 | Not affected | |----------------------------+------------+------------------------------| | s800i (Asterisk Appliance) | 1.3.x | All versions prior to | | | | 1.3.0.2 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.2.32 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.4.24.1 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.6.0.8 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | B.2.5.8 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.1.10.5 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.2.3.3 | |---------------------------------------------+--------------------------| | s800i (Asterisk Appliance) | 1.3.0.2 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Patches | |------------------------------------------------------------------------| | Patch URL |Version| |----------------------------------------------------------------+-------| |http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt | 1.2 | |----------------------------------------------------------------+-------| |http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt | 1.4 | |----------------------------------------------------------------+-------| |http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt | 1.6.0 | |----------------------------------------------------------------+-------| |http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt | 1.6.1 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | http://www.faqs.org/rfcs/rfc3261.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-003.pdf and | | http://downloads.digium.com/pub/security/AST-2009-003.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+------------------------+-----------------------------| | 2009-04-02 | Tilghman Lesher | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2009-003 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
See above.
Arches, please test and mark stable: =net-misc/asterisk-1.2.32 Target keywords : "alpha amd64 ppc sparc x86"
amd64/x86 stable
Compiling with USE=-postgres doesn't work: alpha-unknown-linux-gnu-gcc -mieee -pipe -O2 -mcpu=ev67 -pipe -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Iinclude -I../include -D_REENTRANT -D_GNU_SOURCE -mieee -pipe -O2 -mcpu=ev67 -DLOW_MEMORY -fomit-frame-pointer -fPIC -I/usr/include/postgresql -c -o cdr_pgsql.o cdr_pgsql.c cdr_pgsql.c:43:22: error: libpq-fe.h: No such file or directory cdr_pgsql.c:43:22: error: libpq-fe.h: No such file or directory cdr_pgsql.c:67: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token cdr_pgsql.c:68: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token cdr_pgsql.c: In function 'pgsql_log': cdr_pgsql.c:83: error: 'conn' undeclared (first use in this function) cdr_pgsql.c:83: error: (Each undeclared identifier is reported only once cdr_pgsql.c:83: error: for each function it appears in.) With USE=postgres, everything compiles and the package works. Holding off stabilization for now. If you think the security problem warrants this breakage, please say so, I'm kinda on the fence in this case.
emerge --info Portage 2.1.6.11 (default/linux/alpha/2008.0, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.29 alpha) ================================================================= System uname: Linux-2.6.29-alpha-EV68AL-with-glibc2.0 Timestamp of tree: Sat, 04 Apr 2009 17:45:01 +0000 distcc 3.1 alpha-unknown-linux-gnu [enabled] app-shells/bash: 4.0_p10-r1 dev-lang/python: 2.4.4-r15, 2.5.4-r2 dev-util/cmake: 2.6.3 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.3-r1 sys-apps/sandbox: 1.7 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="alpha ~alpha" CBUILD="alpha-unknown-linux-gnu" CFLAGS="-mieee -pipe -O2 -mcpu=ev67" CHOST="alpha-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-mieee -pipe -O2 -mcpu=ev67" DISTDIR="/usr/portage/distfiles" FEATURES="distcc distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans usepkg userfetch userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.tiscali.nl/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync5.de.gentoo.org/gentoo-portage" USE="X acl alpha alsa apache2 audiofile bash-completion berkdb bzip2 calendar cdparanoia cdr cli cracklib crypt dio dri encode ethereal exif ffmpeg fftw firefox flac fortran ftp gdbm gpm iconv imlib2 isdnlog jpeg kdeenablefinal libcaca lua mad matroska midi mmap mng moznocompose moznoirc moznomail mozsvg mpeg mudflap ncurses network-cron nls nptl nptlonly offensive ogg openmp pam pcre pdflib perl png pnm ppds pppd python rar readline recode reflection session sharedmem sockets sox spl ssl svg sysfs szip tcpd tetex theora truetype unicode usb v4l v4l2 vcd vidix vim vim-pager vlm vorbis xcb xorg xosd xpm xvid zlib" ALSA_CARDS="ali5451 als4000 bt87x ca0106 cmipci emu10k1 ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 maestro3 trident usb-audio via82xx ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="vga glint mga nvidia vesa r128 " Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ppc done. I did not hit the postgres problem however.
ppc done
(In reply to comment #11) > Compiling with USE=-postgres doesn't work: > [...] > With USE=postgres, everything compiles and the package works. Holding off > stabilization for now. If you think the security problem warrants this > breakage, please say so, I'm kinda on the fence in this case. > voip, please advise.
alpha/sparc stable, as it works fine for me
Now that armin resolved alpha, all arches are done. GLSA together with the other asterisk stuff.
GLSA 200905-01