SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk Access Control Parsing Error May Let Remote Users Bypass Access Controls
SecurityTracker Alert ID:  1023657
SecurityTracker URL:  http://securitytracker.com/id/1023657
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 26 2010
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.6.0.x, 1.6.1.x, 1.6.2.x
Description:   A vulnerability was reported in Asterisk. A remote user may be able to bypass access controls and gain access to the target system.

The system does not properly parse access control lists that contain the '/0' CIDR notation in 'permit=' and 'deny=' host access rules. A remote user may be able to bypass these access controls.

The vendor was notified on February 24, 2010.

Mark Michelson reported this vulnerability.
Impact:   A remote user can bypass host-based access controls in certain cases.
Solution:   The vendor has issued a fix (1.6.0.25, 1.6.1.17, 1.6.2.5).

The vendor's advisory is available at:

http://downloads.digium.com/pub/security/AST-2010-003.html
Vendor URL:  downloads.digium.com/pub/security/AST-2010-003.html (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Thu, 25 Feb 2010 16:28:13 -0600
Subject:  [Full-disclosure] AST-2010-003: Invalid parsing of ACL rules can compromise security

               Asterisk Project Security Advisory - AST-2010-003

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Invalid parsing of ACL rules can compromise       |
   |                    | security                                          |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Unauthorized access to system                     |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | Feb 24, 2010                                      |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Mark Michelson                                    |
   |--------------------+---------------------------------------------------|
   |     Posted On      | Feb 25, 2010                                      |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | February 25, 2010                                 |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Mark Michelson < mmichelson AT digium DOT com >   |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Host access rules using "permit=" and "deny="            |
   |             | configurations behave unpredictably if the CIDR notation |
   |             | "/0" is used. Depending on the system's behavior, this   |
   |             | may act as desired, but in other cases it might not,     |
   |             | thereby allowing access from hosts that should be        |
   |             | denied.                                                  |
   |             |                                                          |
   |             | Note that even if an unauthorized host is allowed access |
   |             | due to this exploit, authentication measures still in    |
   |             | place would prevent further unauthorized access.         |
   |             |                                                          |
   |             | Note also that there is a workaround for this problem,   |
   |             | which is to use the dotted-decimal format "/0.0.0.0"     |
   |             | instead of CIDR notation. The bug does not exist when    |
   |             | using this format. In addition, this format is what is   |
   |             | used in Asterisk's sample configuration files.           |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Code has been corrected to behave consistently on all     |
   |            | systems when "/0" is used.                                |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.6.x  | All 1.6.0, 1.6.1 and 1.6.2      |
   |                            |         | releases                        |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.6.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  C.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |   1.5   | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.2.x  | Unaffected                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |              Product               |              Release              |
   |------------------------------------+-----------------------------------|
   |              Asterisk              |             1.6.0.25              |
   |------------------------------------+-----------------------------------|
   |              Asterisk              |             1.6.1.17              |
   |------------------------------------+-----------------------------------|
   |              Asterisk              |              1.6.2.5              |
   +------------------------------------------------------------------------+

   +-------------------------------------------------------------------------+
   |                                 Patches                                 |
   |-------------------------------------------------------------------------|
   |                               URL                                |Branch|
   |------------------------------------------------------------------+------|
   |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff|1.6.0 |
   |------------------------------------------------------------------+------|
   |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff|1.6.1 |
   |------------------------------------------------------------------+------|
   |http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff|1.6.2 |
   +-------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2010-003.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2010-003.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |        Editor        |       Revisions Made        |
   |-------------------+----------------------+-----------------------------|
   | Feb 24, 2010      | Mark Michelson       | Initial Advisory            |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2010-003
              Copyright (c) 2010 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC