Asterisk Lets Remote Users Bypass Host-based Access Controls in Certain Cases
|
|
SecurityTracker Alert ID: 1019110 |
|
SecurityTracker URL: http://securitytracker.com/id/1019110
|
|
CVE Reference:
CVE-2007-6430
(Links to External Site)
|
Date: Dec 18 2007
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.4.16
|
Description:
A vulnerability was reported in Asterisk. A remote user can bypass access controls in certain cases.
When a "realtime" database-based registration is processed and the username is correct and there is no password, the system does not check the IP address. A remote user can impersonate arbitrary users that rely on host-based authentication without a password.
Both the SIP and IAX protocols are affected.
The vendor was notified on October 30, 2007.
Tilghman Lesher reported this vulnerability.
|
Impact:
A remote user can bypass access controls in certain cases.
|
Solution:
The vendor has issued a fixed version (1.4.16).
The Asterisk advisory is available at:
http://downloads.digium.com/pub/security/AST-2007-027.html
|
Vendor URL: downloads.digium.com/pub/security/AST-2007-027.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 18 Dec 2007 14:03:42 -0600
Subject: AST-2007-027 - Database matching order permits host-based authentication to be ignored
|
|
|
