Asterisk Project Security Advisory - AST-2012-013

Product

Asterisk

Summary

ACL rules ignored when placing outbound calls by certain IAX2 users

Nature of Advisory

Unauthorized use of system

Susceptibility

Remote Authenticated Sessions

Severity

Moderate

Exploits Known

None

Reported On

07/27/2012

Reported By

Alan Frisch

Posted On

08/30/2012

Last Updated On

August 31, 2012

Advisory Contact

Matt Jordan < mjordan AT digium DOT com >

CVE Name

CVE-2012-4737



Description

When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer.


Resolution

The ACL rules for peers defined in an ARA backend are now honored. Users of chan_iax2 should upgrade to the corrected versions; apply a provided patch; or define their IAX2 peers outside of an ARA backend in a static configuration file.


Affected Versions

Product

Release Series


Asterisk Open Source

1.8.x

All versions

Asterisk Open Source

10.x

All versions

Certified Asterisk

1.8.11

All versions

Asterisk Digiumphones

10.x.x-digiumphones

All versions

Asterisk Business Edition

C.3.x

All versions


Corrected In

Product

Release

Asterisk Open Source

1.8.15.1, 10.7.1

Certified Asterisk

1.8.11-cert7

Asterisk Digiumphones

10.7.1-digiumphones

Asterisk Business Edition

C.3.7.6


Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2012-013-1.8.diff

Asterisk 1.8

http://downloads.asterisk.org/pub/security/AST-2012-013-10.diff

Asterisk 10



Links

https://issues.asterisk.org/jira/browse/ASTERISK-20186


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-013.pdf and http://downloads.digium.com/pub/security/AST-2012-013.html


Revision History

Date

Editor

Revisions Made

08/27/2012

Matt Jordan

Initial Revision

08/31/2012

Matt Jordan

Updated patch links


Asterisk Project Security Advisory - AST-2012-013
Copyright © 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.