+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | ACL not respected on SIP INVITE |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Unauthorized calls allowed on prohibited networks |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote unauthorized session |
|--------------------+--------------------------------------------------
-|
| Severity | Critical |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | October 18, 2009 |
|--------------------+--------------------------------------------------
-|
| Reported By | Thomas Athineou <thom_winkler AT web DOT de> |
|--------------------+--------------------------------------------------
-|
| Posted On | October 26, 2009 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | October 26, 2009 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Jeff Peeler <jpeeler AT digium DOT com> |
|--------------------+--------------------------------------------------
-|
| CVE Name | |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Description | A missing ACL check for handling SIP INVITEs allows a |
| | device to make calls on networks intended to be |
| | prohibited as defined by the "deny" and "permit" lines |
| | in sip.conf. The ACL check for handling SIP |
| | registrations was not affected. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Resolution | Users should upgrade to a version listed in the |
| | "Corrected In" section below. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-007.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-007.html |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|------------------------+------------------+---------------------------
-|
| October 26, 2009 | Jeff Peeler | Initial release |
+-----------------------------------------------------------------------
-+
Asterisk Project Security Advisory - AST-2009-007
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | ACL not respected on SIP INVITE |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Unauthorized calls allowed on prohibited networks |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote unauthorized session |
|--------------------+--------------------------------------------------
-|
| Severity | Critical |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | October 18, 2009 |
|--------------------+--------------------------------------------------
-|
| Reported By | Thomas Athineou <thom_winkler AT web DOT de> |
|--------------------+--------------------------------------------------
-|
| Posted On | October 26, 2009 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | October 26, 2009 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Jeff Peeler <jpeeler AT digium DOT com> |
|--------------------+--------------------------------------------------
-|
| CVE Name | |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Description | A missing ACL check for handling SIP INVITEs allows a |
| | device to make calls on networks intended to be |
| | prohibited as defined by the "deny" and "permit" lines |
| | in sip.conf. The ACL check for handling SIP |
| | registrations was not affected. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Resolution | Users should upgrade to a version listed in the |
| | "Corrected In" section below. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release Series | |
|-------------------------------+----------------+----------------------
-|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+----------------------
-|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+----------------------
-|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+----------------------
-|
| Asterisk Addons | 1.2.x | Unaffected |
|-------------------------------+----------------+----------------------
-|
| Asterisk Addons | 1.4.x | Unaffected |
|-------------------------------+----------------+----------------------
-|
| Asterisk Addons | 1.6.x | Unaffected |
|-------------------------------+----------------+----------------------
-|
| Asterisk Business Edition | A.x.x | Unaffected |
|-------------------------------+----------------+----------------------
-|
| Asterisk Business Edition | B.x.x | Unaffected |
|-------------------------------+----------------+----------------------
-|
| Asterisk Business Edition | C.x.x | Unaffected |
|-------------------------------+----------------+----------------------
-|
| AsteriskNOW | 1.5 | Unaffected |
|-------------------------------+----------------+----------------------
-|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|---------------------------------------------+-------------------------
-|
| Open Source Asterisk 1.6.1 | 1.6.1.8 |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-----+
| Patches |
|-----------------------------------------------------------------------
-----|
| SVN URL |Version|
|--------------------------------------------------------------------+--
-----|
|http://downloads.digium.com/pub/security/AST-2009-007-1.6.1.diff.txt| 1.6.1 |
+-----------------------------------------------------------------------
-----+
+-----------------------------------------------------------------------
-+
| Links | |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-007.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-007.html |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|------------------------+------------------+---------------------------
-|
| October 26, 2009 | Jeff Peeler | Initial release |
+-----------------------------------------------------------------------
-+
Asterisk Project Security Advisory - AST-2009-007
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
[ reply ]