Asterisk Project Security Advisory - AST-2007-025

Product

Asterisk

Summary

SQL Injection issue in res_config_pgsql

Nature of Advisory

SQL Injection

Susceptibility

Remote Unauthenticated Sessions

Severity

Moderate

Exploits Known

No

Reported On

November 29, 2007

Reported By

P. Chisteas <p_christ AT hol DOT gr>

Posted On

November 29, 2007

Last Updated On

November 29, 2007

Advisory Contact

Tilghman Lesher <tlesher AT digium DOT com>

CVE Name

CVE-2007-6171



Description

Input buffers were not properly escaped when providing lookup data to the Postgres Realtime Engine. An attacker could potentially compromise the administrative database containing users' usernames and passwords used for SIP authentication, among other things.


This module is not active by default and must be configured for use by the administrator. Default installations of Asterisk are not affected.


Workaround

Convert your installation to use res_config_odbc with the PgsqlODBC driver. This module provides similar functionality but is not vulnerable.


Resolution

Upgrade to Asterisk release 1.4.15 or higher.


Affected Versions

Product

Release Series


Asterisk Open Source

1.0.x

None

Asterisk Open Source

1.2.x

None

Asterisk Open Source

1.4.x

1.4.14 and previous versions

Asterisk Business Edition

A.x.x

None

Asterisk Business Edition

B.x.x

None

Asterisk Business Edition

C.x.x

C.1.0-beta5 and previous versions

AsteriskNOW

pre-release

None

Asterisk Appliance Developer Kit

0.x.x

None

s800i (Asterisk Appliance)

1.0.x

None


Corrected In

Product

Release

Asterisk Open Source

1.4.15

Asterisk Business Edition

C.1.0-beta6




Links



Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2007-025.pdf and http://downloads.digium.com/pub/security/AST-2007-025.html


Revision History

Date

Editor

Revisions Made

2007-11-29

Tilghman Lesher

Initial release

2007-11-29

Tilghman Lesher

Added CVE number, ABE C version


Asterisk Project Security Advisory - AST-2007-025
Copyright © 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.