Asterisk Security Team
2010-Feb-25 22:28 UTC
[asterisk-users] AST-2010-003: Invalid parsing of ACL rules can compromise security
Asterisk Project Security Advisory - AST-2010-003
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Invalid parsing of ACL rules can compromise |
| | security |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Unauthorized access to system |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | Feb 24, 2010 |
|--------------------+---------------------------------------------------|
| Reported By | Mark Michelson |
|--------------------+---------------------------------------------------|
| Posted On | Feb 25, 2010 |
|--------------------+---------------------------------------------------|
| Last Updated On | February 25, 2010 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com >
|
|--------------------+---------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | Host access rules using "permit=" and
"deny=" |
| | configurations behave unpredictably if the CIDR notation |
| | "/0" is used. Depending on the system's
behavior, this |
| | may act as desired, but in other cases it might not, |
| | thereby allowing access from hosts that should be |
| | denied. |
| | |
| | Note that even if an unauthorized host is allowed access |
| | due to this exploit, authentication measures still in |
| | place would prevent further unauthorized access. |
| | |
| | Note also that there is a workaround for this problem, |
| | which is to use the dotted-decimal format
"/0.0.0.0" |
| | instead of CIDR notation. The bug does not exist when |
| | using this format. In addition, this format is what is |
| | used in Asterisk's sample configuration files.
|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Code has been corrected to behave consistently on all |
| | systems when "/0" is used.
|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.x | All 1.6.0, 1.6.1 and 1.6.2 |
| | | releases |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| AsteriskNOW | 1.5 | Unaffected |
|----------------------------+---------+---------------------------------|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.0.25 |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.1.17 |
|------------------------------------+-----------------------------------|
| Asterisk | 1.6.2.5 |
+------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| Patches |
|-------------------------------------------------------------------------|
| URL |Branch|
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.0 |
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.1 |
|------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.2 |
+-------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2010-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2010-003.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+----------------------+-----------------------------|
| Feb 24, 2010 | Mark Michelson | Initial Advisory |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2010-003
Copyright (c) 2010 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Possibly Parallel Threads
- AST-2010-003: Invalid parsing of ACL rules can compromise security
- AST-2007-022: Buffer overflows in voicemail when using IMAP storage
- AST-2007-022: Buffer overflows in voicemail when using IMAP storage
- AST-2008-012: Remote crash vulnerability in IAX2
- AST-2008-012: Remote crash vulnerability in IAX2
Wisdom of the Ancients
