AST-2010-003: Invalid parsing of ACL rules can compromise security Feb 25 2010 10:28PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2010-003

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | Invalid parsing of ACL rules can compromise |
| | security |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Unauthorized access to system |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+--------------------------------------------------
-|
| Severity | Moderate |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | Feb 24, 2010 |
|--------------------+--------------------------------------------------
-|
| Reported By | Mark Michelson |
|--------------------+--------------------------------------------------
-|
| Posted On | Feb 25, 2010 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | February 25, 2010 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------+--------------------------------------------------
-|
| CVE Name | |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | Host access rules using "permit=" and "deny=" |
| | configurations behave unpredictably if the CIDR notation |
| | "/0" is used. Depending on the system's behavior, this |
| | may act as desired, but in other cases it might not, |
| | thereby allowing access from hosts that should be |
| | denied. |
| | |
| | Note that even if an unauthorized host is allowed access |
| | due to this exploit, authentication measures still in |
| | place would prevent further unauthorized access. |
| | |
| | Note also that there is a workaround for this problem, |
| | which is to use the dotted-decimal format "/0.0.0.0" |
| | instead of CIDR notation. The bug does not exist when |
| | using this format. In addition, this format is what is |
| | used in Asterisk's sample configuration files. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | Code has been corrected to behave consistently on all |
| | systems when "/0" is used. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.4.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.6.x | All 1.6.0, 1.6.1 and 1.6.2 |
| | | releases |
|----------------------------+---------+--------------------------------
-|
| Asterisk Addons | 1.2.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Addons | 1.4.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Addons | 1.6.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | C.x.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| AsteriskNOW | 1.5 | Unaffected |
|----------------------------+---------+--------------------------------
-|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|------------------------------------+----------------------------------
-|
| Asterisk | 1.6.0.25 |
|------------------------------------+----------------------------------
-|
| Asterisk | 1.6.1.17 |
|------------------------------------+----------------------------------
-|
| Asterisk | 1.6.2.5 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
--+
| Patches |
|-----------------------------------------------------------------------
--|
| URL |Branch|
|------------------------------------------------------------------+----
--|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.
0 |
|------------------------------------------------------------------+----
--|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.
1 |
|------------------------------------------------------------------+----
--|
|http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.
2 |
+-----------------------------------------------------------------------
--+

+-----------------------------------------------------------------------
-+
| Links | |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2010-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2010-003.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-------------------+----------------------+----------------------------
-|
| Feb 24, 2010 | Mark Michelson | Initial Advisory |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2010-003
Copyright (c) 2010 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus