List Info

Thread: AST-2007-027 - Database matching order permits host-based authentication to be ignore
AST-2007-027 - Database matching order permits host-based authentication to be ignore
country flaguser name
United States		 2007-12-18 14:03:32 
               Asterisk Project Security Advisory -
AST-2007-027

  
+-----------------------------------------------------------
-------------+
   |      Product       | Asterisk                          
               |
  
|--------------------+--------------------------------------
-------------|
   |      Summary       | Database matching order permits
host-based        |
   |                    | authentication to be ignored      
               |
  
|--------------------+--------------------------------------
-------------|
   | Nature of Advisory | Logic error                       
               |
  
|--------------------+--------------------------------------
-------------|
   |   Susceptibility   | Remote Unauthenticated Sessions   
               |
  
|--------------------+--------------------------------------
-------------|
   |      Severity      | Moderate                          
               |
  
|--------------------+--------------------------------------
-------------|
   |   Exploits Known   | No                                
               |
  
|--------------------+--------------------------------------
-------------|
   |    Reported On     | October 30, 2007                  
               |
  
|--------------------+--------------------------------------
-------------|
   |    Reported By     | Tilghman Lesher <tlesher AT
digium DOT com>       |
  
|--------------------+--------------------------------------
-------------|
   |     Posted On      | December 18, 2007                 
               |
  
|--------------------+--------------------------------------
-------------|
   |  Last Updated On   | December 18, 2007                 
               |
  
|--------------------+--------------------------------------
-------------|
   |  Advisory Contact  | Tilghman Lesher <tlesher AT
digium DOT com>       |
  
|--------------------+--------------------------------------
-------------|
   |      CVE Name      | CVE-2007-6430                     
               |
  
+-----------------------------------------------------------
-------------+

  
+-----------------------------------------------------------
-------------+
   | Description | Due to the way database-based
registrations ("realtime") |
   |             | are processed, IP addresses are not
checked when the     |
   |             | username is correct and there is no
password. An         |
   |             | attacker may impersonate any user using
host-based       |
   |             | authentication without a secret, simply
by guessing the  |
   |             | username of that user. This is limited in
scope to       |
   |             | administrators who have set up the
registration database |
   |             | ("realtime") for authentication
and are using only       |
   |             | host-based authentication, not passwords.
However, both  |
   |             | the SIP and IAX protocols are affected.  
               |
  
+-----------------------------------------------------------
-------------+

  
+-----------------------------------------------------------
-------------+
   | Resolution | As a workaround, administrators may set a
password for    |
   |            | all users and peers in their registration
"realtime"      |
   |            | database. A fix is included in the newest
release of      |
   |            | Asterisk, as provided below.              
               |
  
+-----------------------------------------------------------
-------------+

  
+-----------------------------------------------------------
-------------+
   |                           Affected Versions            
               |
  
|-----------------------------------------------------------
-------------|
   |          Product           |   Release   |             
               |
   |                            |   Series    |             
               |
  
|----------------------------+-------------+----------------
-------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected
               |
  
|----------------------------+-------------+----------------
-------------|
   |    Asterisk Open Source    |    1.2.x    | All versions
prior to       |
   |                            |             | 1.2.26      
               |
  
|----------------------------+-------------+----------------
-------------|
   |    Asterisk Open Source    |    1.4.x    | All versions
prior to       |
   |                            |             | 1.4.16      
               |
  
|----------------------------+-------------+----------------
-------------|
   | Asterisk Business Edition  |    A.x.x    | Not affected
               |
  
|----------------------------+-------------+----------------
-------------|
   | Asterisk Business Edition  |    B.x.x    | All versions
prior to       |
   |                            |             | B.2.3.6     
               |
  
|----------------------------+-------------+----------------
-------------|
   | Asterisk Business Edition  |    C.x.x    | All versions
prior to       |
   |                            |             | C.1.0-beta8 
               |
  
|----------------------------+-------------+----------------
-------------|
   |        AsteriskNOW         | pre-release | Not affected
               |
  
|----------------------------+-------------+----------------
-------------|
   |     Asterisk Appliance     |    0.x.x    | Not affected
               |
   |       Developer Kit        |             |             
               |
  
|----------------------------+-------------+----------------
-------------|
   | s800i (Asterisk Appliance) |    1.0.x    | Not affected
               |
  
+-----------------------------------------------------------
-------------+

  
+-----------------------------------------------------------
-------------+
   |                              Corrected In              
               |
  
|-----------------------------------------------------------
-------------|
   |                  Product                  |         
Release           |
  
|-------------------------------------------+---------------
-------------|
   |           Asterisk Open Source            |          
1.2.26           |
  
|-------------------------------------------+---------------
-------------|
   |           Asterisk Open Source            |          
1.4.16           |
  
|-------------------------------------------+---------------
-------------|
   |         Asterisk Business Edition         |         
B.2.3.6           |
  
|-------------------------------------------+---------------
-------------|
   |         Asterisk Business Edition         |       
C.1.0-beta8         |
  
|-------------------------------------------+---------------
-------------|
  
+-----------------------------------------------------------
-------------+

  
+-----------------------------------------------------------
-------------+
   |        Links        |                                  
               |
  
+-----------------------------------------------------------
-------------+

  
+-----------------------------------------------------------
-------------+
   | Asterisk Project Security Advisories are posted at     
               |
   | http://www.asterisk.
org/security                                       |
   |                                                        
               |
   | This document may be superseded by later versions; if
so, the latest   |
   | version will be posted at                              
               |
   | http://downloads.digium.com/pub/security/AST-2007-027.p
df and          |
   | http://downloads.digium.com/pub/security/AST-2007-027.
html             |
  
+-----------------------------------------------------------
-------------+

  
+-----------------------------------------------------------
-------------+
   |                            Revision History            
               |
  
|-----------------------------------------------------------
-------------|
   |      Date       |         Editor         |      
Revisions Made        |
  
|-----------------+------------------------+----------------
-------------|
   | 2007-12-18      | Tilghman Lesher        | Initial
Release             |
  
+-----------------------------------------------------------
-------------+

               Asterisk Project Security Advisory -
AST-2007-027
              Copyright (c) 2007 Digium, Inc. All Rights
Reserved.
  Permission is hereby granted to distribute and publish
this advisory in its
                           original, unaltered form.

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.c
om--

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Re: AST-2007-027 - Database matching order permits host-based authentication to be ig
country flaguser name
United States		 2007-12-19 10:56:29 
> Asterisk Project Security Advisory - AST-2007-027

This has broken branch/1.4 causing seg faults.  I appears at
first blush that the code called in chan_iax2.c:2700 is not
correct.  I have not yet had time to figure out why.

http://bugs.
digium.com/view.php?id=11602

I am updating it as I type....

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.c
om--

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )