Asterisk Project Security Advisory - AST-2010-003 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Invalid parsing of ACL rules can compromise | | | security | |--------------------+---------------------------------------------------| | Nature of Advisory | Unauthorized access to system | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Moderate | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | Feb 24, 2010 | |--------------------+---------------------------------------------------| | Reported By | Mark Michelson | |--------------------+---------------------------------------------------| | Posted On | Feb 25, 2010 | |--------------------+---------------------------------------------------| | Last Updated On | February 25, 2010 | |--------------------+---------------------------------------------------| | Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > | |--------------------+---------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Host access rules using "permit=" and "deny=" | | | configurations behave unpredictably if the CIDR notation | | | "/0" is used. Depending on the system's behavior, this | | | may act as desired, but in other cases it might not, | | | thereby allowing access from hosts that should be | | | denied. | | | | | | Note that even if an unauthorized host is allowed access | | | due to this exploit, authentication measures still in | | | place would prevent further unauthorized access. | | | | | | Note also that there is a workaround for this problem, | | | which is to use the dotted-decimal format "/0.0.0.0" | | | instead of CIDR notation. The bug does not exist when | | | using this format. In addition, this format is what is | | | used in Asterisk's sample configuration files. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Code has been corrected to behave consistently on all | | | systems when "/0" is used. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.2.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.4.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.6.x | All 1.6.0, 1.6.1 and 1.6.2 | | | | releases | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.2.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.4.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.6.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | A.x.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | B.x.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | C.x.x | Unaffected | |----------------------------+---------+---------------------------------| | AsteriskNOW | 1.5 | Unaffected | |----------------------------+---------+---------------------------------| | s800i (Asterisk Appliance) | 1.2.x | Unaffected | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |------------------------------------+-----------------------------------| | Asterisk | 1.6.0.25 | |------------------------------------+-----------------------------------| | Asterisk | 1.6.1.17 | |------------------------------------+-----------------------------------| | Asterisk | 1.6.2.5 | +------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ | Patches | |-------------------------------------------------------------------------| | URL |Branch| |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.0 | |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.1 | |------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.2 | +-------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2010-003.pdf and | | http://downloads.digium.com/pub/security/AST-2010-003.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-------------------+----------------------+-----------------------------| | Feb 24, 2010 | Mark Michelson | Initial Advisory | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2010-003 Copyright (c) 2010 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.