AST-2018-008: PJSIP endpoint presence disclosure when using ACL Jun 11 2018 10:29PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2018-008

Product Asterisk
Summary PJSIP endpoint presence disclosure when using ACL
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Minor
Exploits Known No
Reported On April 19, 2018
Reported By John
Posted On June 11, 2018
Last Updated On June 11, 2018
Advisory Contact Rmudgett AT digium DOT com
CVE Name

Description When endpoint specific ACL rules block a SIP request they
respond with a 403 forbidden. However, if an endpoint is
not identified then a 401 unauthorized response is sent.
This vulnerability just discloses which requests hit a
defined endpoint. The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.

Resolution Endpoint specific ACL rules now respond with a 401 challenge
which is the same as if an endpoint were not identified. An
alternate is to use global ACL rules to avoid the
information disclosure.

Affected Versions
Product Release
Asterisk Open Source 13.x 13.10.0 and later
Asterisk Open Source 14.x All releases
Asterisk Open Source 15.x All releases
Certified Asterisk 13.18 All releases
Certified Asterisk 13.21 All releases

Corrected In
Product Release
Asterisk Open Source 13.21.1, 14.7.7, 15.4.1
Certified Asterisk 13.18-cert4, 13.21-cert2

SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2018-008-13.diff Asterisk
http://downloads.asterisk.org/pub/security/AST-2018-008-14.diff Asterisk
http://downloads.asterisk.org/pub/security/AST-2018-008-15.diff Asterisk
http://downloads.asterisk.org/pub/security/AST-2018-008-13.18.diff Certified
http://downloads.asterisk.org/pub/security/AST-2018-008-13.21.diff Certified


Asterisk Project Security Advisories are posted at

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2018-008.pdf and

Revision History
Date Editor Revisions Made
May 1, 2018 Richard Mudgett Initial revision
June 11, 2018 Richard Mudgett Added Certified Asterisk 13.21

Asterisk Project Security Advisory - AST-2018-008
Copyright (c) 2018 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus