AST-2022-003

Asterisk Project Security Advisory - AST-2022-003

Product	Asterisk
Summary	func_odbc: Possible SQL Injection
Nature of Advisory	SQL injection
Susceptibility	Remote unauthenticated sessions
Severity	Low
Exploits Known	No
Reported On	January 5, 2022
Reported By	Leandro Dardini
Posted On	April 14, 2022
Last Updated On	April 12, 2022
Advisory Contact	Jcolp AT sangoma DOT com
CVE Name	CVE-2022-26651

Description

Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail.

Additionally while it has not yet been reproduced this security advisory is also being published to cover the case of SQL injection with the aim of database manipulation by an outside party.

Modules Affected

func_odbc

Resolution

A new dialplan function, SQL_ESC_BACKSLASHES, has been added to the func_odbc module which will escape backslashes. If your usage of func_odbc may have input which includes backslashes and your database uses backslashes to escape backticks then use the dialplan function to escape the backslashes.

A second option is to disable support for backslashes for escaping in your database if the underlying database supports it.

Affected Versions
Product	Release Series
Asterisk Open Source	16.x	All versions
Asterisk Open Source	18.x	All versions
Asterisk Open Source	19.x	All versions
Certified Asterisk	16.x	All versions

Corrected In
Product	Release
Asterisk Open Source	16.25.2, 18.11.2, 19.3.2
Certified Asterisk	16.8-cert14

Patches
Patch URL	Revision
https://downloads.digium.com/pub/security/AST-2022-003-16.diff	Asterisk 16
https://downloads.digium.com/pub/security/AST-2022-003-18.diff	Asterisk 18
https://downloads.digium.com/pub/security/AST-2022-003-19.diff	Asterisk 19
https://downloads.digium.com/pub/security/AST-2022-003-16.8.diff	Certified Asterisk 16.8

Links

https://issues.asterisk.org/jira/browse/ASTERISK-29838

https://downloads.asterisk.org/pub/security/AST-2022-003.html

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-003.pdf and https://downloads.digium.com/pub/security/AST-2022-003.html

Revision History
Date	Editor	Revisions Made
February 15, 2022	Joshua Colp	Initial revision

Asterisk Project Security Advisory - AST-2022-003
Copyright © 2022 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.