Asterisk Project Security Advisory - AST-2009-007 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | ACL not respected on SIP INVITE | |--------------------+---------------------------------------------------| | Nature of Advisory | Unauthorized calls allowed on prohibited networks | |--------------------+---------------------------------------------------| | Susceptibility | Remote unauthorized session | |--------------------+---------------------------------------------------| | Severity | Critical | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | October 18, 2009 | |--------------------+---------------------------------------------------| | Reported By | Thomas Athineou <thom_winkler AT web DOT de> | |--------------------+---------------------------------------------------| | Posted On | October 26, 2009 | |--------------------+---------------------------------------------------| | Last Updated On | October 26, 2009 | |--------------------+---------------------------------------------------| | Advisory Contact | Jeff Peeler <jpeeler AT digium DOT com> | |--------------------+---------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | A missing ACL check for handling SIP INVITEs allows a | | | device to make calls on networks intended to be | | | prohibited as defined by the "deny" and "permit" lines | | | in sip.conf. The ACL check for handling SIP | | | registrations was not affected. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Users should upgrade to a version listed in the | | | "Corrected In" section below. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 1.2.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 1.4.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 1.6.x | All 1.6.1 versions | |-------------------------------+----------------+-----------------------| | Asterisk Addons | 1.2.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Addons | 1.4.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Addons | 1.6.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Business Edition | A.x.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Business Edition | B.x.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Business Edition | C.x.x | Unaffected | |-------------------------------+----------------+-----------------------| | AsteriskNOW | 1.5 | Unaffected | |-------------------------------+----------------+-----------------------| | s800i (Asterisk Appliance) | 1.2.x | Unaffected | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------------------------------------+--------------------------| | Open Source Asterisk 1.6.1 | 1.6.1.8 | +------------------------------------------------------------------------+ +----------------------------------------------------------------------------+ | Patches | |----------------------------------------------------------------------------| | SVN URL |Version| |--------------------------------------------------------------------+-------| |http://downloads.digium.com/pub/security/AST-2009-007-1.6.1.diff.txt| 1.6.1 | +----------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-007.pdf and | | http://downloads.digium.com/pub/security/AST-2009-007.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |------------------------+------------------+----------------------------| | October 26, 2009 | Jeff Peeler | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2009-007 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.