AST-2010-003: Invalid parsing of ACL rules can compromise security

           Asterisk Project Security Advisory - AST-2010-003

±-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------±--------------------------------------------------|
| Summary | Invalid parsing of ACL rules can compromise |
| | security |
|--------------------±--------------------------------------------------|
| Nature of Advisory | Unauthorized access to system |
|--------------------±--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------±--------------------------------------------------|
| Severity | Moderate |
|--------------------±--------------------------------------------------|
| Exploits Known | No |
|--------------------±--------------------------------------------------|
| Reported On | Feb 24, 2010 |
|--------------------±--------------------------------------------------|
| Reported By | Mark Michelson |
|--------------------±--------------------------------------------------|
| Posted On | Feb 25, 2010 |
|--------------------±--------------------------------------------------|
| Last Updated On | February 25, 2010 |
|--------------------±--------------------------------------------------|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------±--------------------------------------------------|
| CVE Name | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | Host access rules using "permit=" and "deny=" |
| | configurations behave unpredictably if the CIDR notation |
| | "/0" is used. Depending on the system's behavior, this |
| | may act as desired, but in other cases it might not, |
| | thereby allowing access from hosts that should be |
| | denied. |
| | |
| | Note that even if an unauthorized host is allowed access |
| | due to this exploit, authentication measures still in |
| | place would prevent further unauthorized access. |
| | |
| | Note also that there is a workaround for this problem, |
| | which is to use the dotted-decimal format "/0.0.0.0" |
| | instead of CIDR notation. The bug does not exist when |
| | using this format. In addition, this format is what is |
| | used in Asterisk's sample configuration files. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | Code has been corrected to behave consistently on all |
| | systems when "/0" is used. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±------------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2010-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2010-003.html |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - AST-2010-003
          Copyright (c) 2010 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.