Asterisk Lets Remote Users Bypass Proxy Authentication to Access the Target System
|
SecurityTracker Alert ID: 1037408 |
SecurityTracker URL: http://securitytracker.com/id/1037408
|
CVE Reference:
CVE-2016-9938
(Links to External Site)
|
Updated: Dec 13 2016
|
Original Entry Date: Dec 9 2016
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 11.x, 13.x, 14.x
|
Description:
A vulnerability was reported in Asterisk. A remote user can bypass proxy authentication.
The chan_sip channel driver defines whitespace differently than a SIP proxy. As a result, if Asterisk is configured behind a SIP proxy, a remote user can supply specially crafted SIP header values to bypass proxy authentication and provide an INVITE request to the target Asterisk system.
Systems using dialog-aware proxies are not affected.
Systems using chan_pjsip rather than chan_sip are not affected.
Walter Doekes reported this vulnerability.
|
Impact:
A remote user can bypass proxy authentication to access the target system in certain cases.
|
Solution:
The vendor has issued a fix (11.25.1, 13.13.1, 14.2.1).
The vendor advisory is available at:
http://downloads.digium.com/pub/security/ASTERISK-2016-009.html
|
Vendor URL: downloads.digium.com/pub/security/ASTERISK-2016-009.html (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|