Asterisk Project Security Advisory - AST-2010-003
±-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------±--------------------------------------------------|
| Summary | Invalid parsing of ACL rules can compromise |
| | security |
|--------------------±--------------------------------------------------|
| Nature of Advisory | Unauthorized access to system |
|--------------------±--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------±--------------------------------------------------|
| Severity | Moderate |
|--------------------±--------------------------------------------------|
| Exploits Known | No |
|--------------------±--------------------------------------------------|
| Reported On | Feb 24, 2010 |
|--------------------±--------------------------------------------------|
| Reported By | Mark Michelson |
|--------------------±--------------------------------------------------|
| Posted On | Feb 25, 2010 |
|--------------------±--------------------------------------------------|
| Last Updated On | February 25, 2010 |
|--------------------±--------------------------------------------------|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------±--------------------------------------------------|
| CVE Name | |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Description | Host access rules using "permit=" and "deny=" |
| | configurations behave unpredictably if the CIDR notation |
| | "/0" is used. Depending on the system's behavior, this |
| | may act as desired, but in other cases it might not, |
| | thereby allowing access from hosts that should be |
| | denied. |
| | |
| | Note that even if an unauthorized host is allowed access |
| | due to this exploit, authentication measures still in |
| | place would prevent further unauthorized access. |
| | |
| | Note also that there is a workaround for this problem, |
| | which is to use the dotted-decimal format "/0.0.0.0" |
| | instead of CIDR notation. The bug does not exist when |
| | using this format. In addition, this format is what is |
| | used in Asterisk's sample configuration files. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Resolution | Code has been corrected to behave consistently on all |
| | systems when "/0" is used. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
----------------------------±--------±-------------------------------- |
Asterisk Open Source |
----------------------------±--------±-------------------------------- |
Asterisk Open Source |
----------------------------±--------±-------------------------------- |
Asterisk Open Source |
----------------------------±--------±-------------------------------- |
Asterisk Addons |
----------------------------±--------±-------------------------------- |
Asterisk Addons |
----------------------------±--------±-------------------------------- |
Asterisk Addons |
----------------------------±--------±-------------------------------- |
Asterisk Business Edition |
----------------------------±--------±-------------------------------- |
Asterisk Business Edition |
----------------------------±--------±-------------------------------- |
Asterisk Business Edition |
----------------------------±--------±-------------------------------- |
AsteriskNOW |
----------------------------±--------±-------------------------------- |
s800i (Asterisk Appliance) |
±-----------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
Corrected In |
---|
Product |
------------------------------------±---------------------------------- |
Asterisk |
------------------------------------±---------------------------------- |
Asterisk |
------------------------------------±---------------------------------- |
Asterisk |
±-----------------------------------------------------------------------+ |
±------------------------------------------------------------------------+
Patches |
---|
URL |
------------------------------------------------------------------±----- |
http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff |
------------------------------------------------------------------±----- |
http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff |
------------------------------------------------------------------±----- |
http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff |
±------------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2010-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2010-003.html |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Revision History |
---|
Date |
-------------------±---------------------±---------------------------- |
Feb 24, 2010 |
±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2010-003
Copyright (c) 2010 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.