BugTraq
AST-2007-027 - Database matching order permits host-based authentication to be ignored Dec 18 2007 08:03PM
Security Officer (security asterisk org)
Asterisk Project Security Advisory - AST-2007-027

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | Database matching order permits host-based |
| | authentication to be ignored |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Logic error |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+--------------------------------------------------
-|
| Severity | Moderate |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | October 30, 2007 |
|--------------------+--------------------------------------------------
-|
| Reported By | Tilghman Lesher <tlesher AT digium DOT com> |
|--------------------+--------------------------------------------------
-|
| Posted On | December 18, 2007 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | December 18, 2007 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|--------------------+--------------------------------------------------
-|
| CVE Name | CVE-2007-6430 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | Due to the way database-based registrations ("realtime") |
| | are processed, IP addresses are not checked when the |
| | username is correct and there is no password. An |
| | attacker may impersonate any user using host-based |
| | authentication without a secret, simply by guessing the |
| | username of that user. This is limited in scope to |
| | administrators who have set up the registration database |
| | ("realtime") for authentication and are using only |
| | host-based authentication, not passwords. However, both |
| | the SIP and IAX protocols are affected. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | As a workaround, administrators may set a password for |
| | all users and peers in their registration "realtime" |
| | database. A fix is included in the newest release of |
| | Asterisk, as provided below. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|----------------------------+-------------+----------------------------
-|
| Asterisk Open Source | 1.0.x | Not affected |
|----------------------------+-------------+----------------------------
-|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.26 |
|----------------------------+-------------+----------------------------
-|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.16 |
|----------------------------+-------------+----------------------------
-|
| Asterisk Business Edition | A.x.x | Not affected |
|----------------------------+-------------+----------------------------
-|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.3.6 |
|----------------------------+-------------+----------------------------
-|
| Asterisk Business Edition | C.x.x | All versions prior to |
| | | C.1.0-beta8 |
|----------------------------+-------------+----------------------------
-|
| AsteriskNOW | pre-release | Not affected |
|----------------------------+-------------+----------------------------
-|
| Asterisk Appliance | 0.x.x | Not affected |
| Developer Kit | | |
|----------------------------+-------------+----------------------------
-|
| s800i (Asterisk Appliance) | 1.0.x | Not affected |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|-------------------------------------------+---------------------------
-|
| Asterisk Open Source | 1.2.26 |
|-------------------------------------------+---------------------------
-|
| Asterisk Open Source | 1.4.16 |
|-------------------------------------------+---------------------------
-|
| Asterisk Business Edition | B.2.3.6 |
|-------------------------------------------+---------------------------
-|
| Asterisk Business Edition | C.1.0-beta8 |
|-------------------------------------------+---------------------------
-|
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Links | |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-027.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-027.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-----------------+------------------------+----------------------------
-|
| 2007-12-18 | Tilghman Lesher | Initial Release |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2007-027
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus