Product

Asterisk

Summary

ACL not respected on SIP INVITE

Nature of Advisory

Unauthorized calls allowed on prohibited networks

Susceptibility

Remote unauthorized session

Severity

Critical

Exploits Known

No

Reported On

October 18, 2009

Reported By

Thomas Athineou <thom_winkler AT web DOT de>

Posted On

October 26, 2009

Last Updated On

October 26, 2009

Advisory Contact

Jeff Peeler <jpeeler AT digium DOT com>

CVE Name

Description

A missing ACL check for handling SIP INVITEs allows a device to make calls on networks intended to be prohibited as defined by the "deny" and "permit" lines in sip.conf. The ACL check for handling SIP registrations was not affected.

Resolution

Users should upgrade to a version listed in the “Corrected In” section below.

Affected Versions

Product

Release Series

Asterisk Open Source

1.2.x

Unaffected

Asterisk Open Source

1.4.x

Unaffected

Asterisk Open Source

1.6.x

All 1.6.1 versions

Asterisk Addons

1.2.x

Unaffected

Asterisk Addons

1.4.x

Unaffected

Asterisk Addons

1.6.x

Unaffected

Asterisk Business Edition

A.x.x

Unaffected

Asterisk Business Edition

B.x.x

Unaffected

Asterisk Business Edition

C.x.x

Unaffected

AsteriskNOW

1.5

Unaffected

s800i (Asterisk Appliance)

1.2.x

Unaffected

Corrected In

Product

Release

Open Source Asterisk 1.6.1

1.6.1.8

Patches

SVN URL

Version

http://downloads.digium.com/pub/security/AST-2009-007-1.6.1.diff.txt

1.6.1

Links

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2009-007.pdf and http://downloads.digium.com/pub/security/AST-2009-007.html

Revision History

Date

Editor

Revisions Made

October 26, 2009

Jeff Peeler

Initial release