Asterisk Project Security Advisory - AST-2007-025 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | SQL Injection issue in res_config_pgsql | |----------------------+-------------------------------------------------| | Nature of Advisory | SQL Injection | |----------------------+-------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |----------------------+-------------------------------------------------| | Severity | Moderate | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | November 29, 2007 | |----------------------+-------------------------------------------------| | Reported By | P. Chisteas <p_christ AT hol DOT gr> | |----------------------+-------------------------------------------------| | Posted On | November 29, 2007 | |----------------------+-------------------------------------------------| | Last Updated On | November 29, 2007 | |----------------------+-------------------------------------------------| | Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> | |----------------------+-------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Input buffers were not properly escaped when providing | | | lookup data to the Postgres Realtime Engine. An attacker | | | could potentially compromise the administrative database | | | containing users' usernames and passwords used for SIP | | | authentication, among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Workaround | Convert your installation to use res_config_odbc with the | | | PgsqlODBC driver. This module provides similar | | | functionality but is not vulnerable. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to Asterisk release 1.4.15 or higher. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.0.x | None | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.2.x | None | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.4.x | 1.4.14 and previous | | | | versions | |------------------------------+-------------+---------------------------| | Asterisk Business Edition | A.x.x | None | |------------------------------+-------------+---------------------------| | Asterisk Business Edition | B.x.x | None | |------------------------------+-------------+---------------------------| | AsteriskNOW | pre-release | None | |------------------------------+-------------+---------------------------| | Asterisk Appliance Developer | 0.x.x | None | | Kit | | | |------------------------------+-------------+---------------------------| | s800i (Asterisk Appliance) | 1.0.x | None | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |------------------------------------------+-----------------------------| | Asterisk Open Source | 1.4.15 | |------------------------------------------+-----------------------------| |------------------------------------------+-----------------------------| +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2007-025.pdf and | | http://downloads.digium.com/pub/security/AST-2007-025.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+------------------------+-----------------------------| | 2007-11-29 | Tilghman Lesher | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2007-025 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.