Asterisk Security Team
2019-Nov-21 22:45 UTC
[asterisk-announce] AST-2019-006: SIP request can change address of a SIP peer.
Asterisk Project Security Advisory - AST-2019-006
Product Asterisk
Summary SIP request can change address of a SIP peer.
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Minor
Exploits Known No
Reported On October 17, 2019
Reported By Andrey V. T.
Posted On November 21, 2019
Last Updated On November 21, 2019
Advisory Contact bford AT sangoma DOT com
CVE Name CVE-2019-18790
Description A SIP request can be sent to Asterisk that can change
a SIP peer’s IP address. A REGISTER does not need to
occur, and calls can be hijacked as a result. The only
thing that needs to be known is the peer’s name;
authentication details such as passwords do not need
to be known. This vulnerability is only exploitable
when the “nat” option is set to the default, or
“auto_force_rport”.
Modules Affected channels/chan_sip.c
Resolution Using any other option value for “nat” will prevent the
attack (such as “nat=no” or “nat=force_rport”), but will
need to be tested on an individual basis to ensure that it
works for the user’s deployment. On the fixed versions of
Asterisk, it will no longer set the address of the peer
before authentication is successful when a SIP request comes
in.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All releases
Asterisk Open Source 16.x All releases
Asterisk Open Source 17.x All releases
Certified Asterisk 13.21 All releases
Corrected In
Product Release
Asterisk Open Source 13.29.2
Asterisk Open Source 16.6.2
Asterisk Open Source 17.0.1
Certified Asterisk 13.21-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2019-006-13.diff Asterisk 13
http://downloads.asterisk.org/pub/security/AST-2019-006-16.diff Asterisk 16
http://downloads.asterisk.org/pub/security/AST-2019-006-17.diff Asterisk 17
http://downloads.asterisk.org/pub/security/AST-2019-006-13.21.diff Certified
Asterisk
13.21-cert5
Links https://issues.asterisk.org/jira/browse/ASTERISK-28589
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2019-006.pdf and
http://downloads.digium.com/pub/security/AST-2019-006.html
Revision History
Date Editor Revisions Made
October 22, 2019 Ben Ford Initial Revision
November 14, 2019 Ben Ford Corrected and updated fields for
versioning, and added CVE
November 21, 2019 Ben Ford Added “Posted On” date
Asterisk Project Security Advisory - AST-2019-006
Copyright © 2019 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Reasonably Related Threads
- Asterisk 13.29.2, 16.6.2, 17.0.1 and 13.21-cert5 Now Available (Security)
- AST-2019-008: Re-invite with T.38 and malformed SDP causes crash.
- AST-2019-007: AMI user could execute system commands.
- AST-2020-002: Outbound INVITE loop on challenge with different nonce.
- AST-2018-006: WebSocket frames with 0 sized payload causes DoS
Wisdom of the Ancients
