Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 364887 (CVE-2011-1507) - <net-misc/asterisk-{1.6.2.17.3,1.8.3.3}: Denial of Service and Authorization Bypass Vulnerabilities (CVE-2011-{1507,1599})
Summary: <net-misc/asterisk-{1.6.2.17.3,1.8.3.3}: Denial of Service and Authorization ...
Status: RESOLVED FIXED
Alias: CVE-2011-1507
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/se...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-26 03:47 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-24 18:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-04-26 03:47:25 UTC
There are two new Asterisk security advisories.

http://downloads.asterisk.org/pub/security/AST-2011-005.html
   Description On systems that have the Asterisk Manager Interface, Skinny,   
               SIP over TCP, or the built in HTTP server enabled, it is       
               possible for an attacker to open as many connections to        
               asterisk as he wishes. This will cause Asterisk to run out of  
               available file descriptors and stop processing any new calls.  
               Additionally, disk space can be exhausted as Asterisk logs     
               failures to open new file descriptors.     

http://downloads.digium.com/pub/security/AST-2011-006.html
   Description It is possible for a user of the Asterisk Manager Interface to 
               bypass a security check and execute shell commands when they   
               should not have that ability. Sending the "Async" header with  
               the "Application" header during an Originate action, allows    
               authenticated manager users to execute shell commands. Only    
               users with the "system" privilege should be able to do this.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2011-04-26 08:22:28 UTC
+*asterisk-1.8.3.3 (26 Apr 2011)
+
+  26 Apr 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.3.2.ebuild,
+  +asterisk-1.8.3.3.ebuild:
+  Update in 1.8 branch for AST-2011-005 & AST-2011-006 (resource exhaustion &
+  unauthenticated shell access, respectively). Remove vulnerable ebuild.
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2011-04-26 08:32:10 UTC
+*asterisk-1.6.2.17.3 (26 Apr 2011)
+
+  26 Apr 2011; Tony Vroon <chainsaw@gentoo.org> +asterisk-1.6.2.17.3.ebuild:
+  Update in 1.6.2 branch for security bug #364887 by Tim Sammut. Addresses
+  CVE-2011-1507 (AST-2011-005/AST-2011-006) and is planned for fast-track
+  stabilisation.

Arches, please test & stable net-misc/asterisk-1.6.2.17.3; this should not introduce additional dependencies over 1.6.2.17.2 and there are no changes to the patchset.
If you are able to repeatedly start & stop the daemon using the init script (on the default config), that constitutes a successful arch test.

Could the last arch please delete the vulnerable 1.6.2.17.2 ebuild from the tree.
Comment 3 Agostino Sarubbo gentoo-dev 2011-04-26 10:23:53 UTC
@x86 team

net-misc/dahdi-2.4.0 does not build with 2.6.37 so please test also:

=net-misc/dahdi-2.4.1
=net-misc/dahdi-tools-2.4.1


@amd64

works for me asterisk dahdi dahdi-tools. You can stabilize all.
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2011-04-26 10:31:44 UTC
+  26 Apr 2011; Tony Vroon <chainsaw@gentoo.org> dahdi-2.4.1.ebuild:
+  Fast-track AMD64 stable for security bug #364887. Testing by Agostino "ago"
+  Sarubbo.

+  26 Apr 2011; Tony Vroon <chainsaw@gentoo.org> dahdi-tools-2.4.1.ebuild:
+  Fast-track AMD64 stable for security bug #364887. Testing by Agostino "ago"
+  Sarubbo.

+  26 Apr 2011; Tony Vroon <chainsaw@gentoo.org> asterisk-1.6.2.17.3.ebuild:
+  Make dependency on newer DAHDI explicit to avoid surprises for the X86 team.

+  26 Apr 2011; Tony Vroon <chainsaw@gentoo.org> asterisk-1.6.2.17.3.ebuild:
+  Mark stable on AMD64 for security bug #364887. Arch testing by Agostino "ago"
+  Sarubbo.
Comment 5 Christoph Mende (RETIRED) gentoo-dev 2011-04-27 08:19:30 UTC
removing amd64 from CC then
Comment 6 Andreas Schürch gentoo-dev 2011-04-28 10:34:41 UTC
I successfully tested the three packages here on x86. The only things i've seen are Bug 321979 and Bug 297995, which are no regressions but still true.
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2011-04-28 21:36:24 UTC
x86 stable. Thanks Andreas
Comment 8 Tony Vroon (RETIRED) gentoo-dev 2011-04-28 22:09:28 UTC
+  28 Apr 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.17.2.ebuild:
+  Removed vulnerable ebuild for CVE-2011-{1507,1599}, security bug #364887.

Security, please proceed with GLSA vote.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-04-28 22:42:09 UTC
Vote: YES.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-04-28 23:09:04 UTC
GLSA Vote: Yes, too. Added to existing GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:17:23 UTC
CVE-2011-1599 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1599):
  manager.c in the Manager Interface in Asterisk Open Source 1.4.x before
  1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and 1.8.x
  before 1.8.3.3 and Asterisk Business Edition C.x.x before C.3.6.4 does not
  properly check for the system privilege, which allows remote authenticated
  users to execute arbitrary commands via an Originate action that has an
  Async header in conjunction with an Application header.

CVE-2011-1507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1507):
  Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x
  before 1.6.2.17.3, and 1.8.x before 1.8.3.3 and Asterisk Business Edition
  C.x.x before C.3.6.4 do not restrict the number of unauthenticated sessions
  to certain interfaces, which allows remote attackers to cause a denial of
  service (file descriptor exhaustion and disk space exhaustion) via a series
  of TCP connections.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-24 18:45:51 UTC
This issue was resolved and addressed in
 GLSA 201110-21 at http://security.gentoo.org/glsa/glsa-201110-21.xml
by GLSA coordinator Tim Sammut (underling).