Asterisk Security Team
2019-Nov-21 22:45 UTC
[asterisk-announce] AST-2019-006: SIP request can change address of a SIP peer.
Asterisk Project Security Advisory - AST-2019-006 Product Asterisk Summary SIP request can change address of a SIP peer. Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Minor Exploits Known No Reported On October 17, 2019 Reported By Andrey V. T. Posted On November 21, 2019 Last Updated On November 21, 2019 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2019-18790 Description A SIP request can be sent to Asterisk that can change a SIP peer’s IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer’s name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the “nat” option is set to the default, or “auto_force_rport”. Modules Affected channels/chan_sip.c Resolution Using any other option value for “nat” will prevent the attack (such as “nat=no” or “nat=force_rport”), but will need to be tested on an individual basis to ensure that it works for the user’s deployment. On the fixed versions of Asterisk, it will no longer set the address of the peer before authentication is successful when a SIP request comes in. Affected Versions Product Release Series Asterisk Open Source 13.x All releases Asterisk Open Source 16.x All releases Asterisk Open Source 17.x All releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source 13.29.2 Asterisk Open Source 16.6.2 Asterisk Open Source 17.0.1 Certified Asterisk 13.21-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-006-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-006-16.diff Asterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-006-17.diff Asterisk 17 http://downloads.asterisk.org/pub/security/AST-2019-006-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28589 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-006.pdf and http://downloads.digium.com/pub/security/AST-2019-006.html Revision History Date Editor Revisions Made October 22, 2019 Ben Ford Initial Revision November 14, 2019 Ben Ford Corrected and updated fields for versioning, and added CVE November 21, 2019 Ben Ford Added “Posted On” date Asterisk Project Security Advisory - AST-2019-006 Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Reasonably Related Threads
- Asterisk 13.29.2, 16.6.2, 17.0.1 and 13.21-cert5 Now Available (Security)
- AST-2019-008: Re-invite with T.38 and malformed SDP causes crash.
- AST-2019-007: AMI user could execute system commands.
- AST-2020-002: Outbound INVITE loop on challenge with different nonce.
- AST-2018-006: WebSocket frames with 0 sized payload causes DoS