[gentoo-announce] [ GLSA 200804-13 ] Asterisk: Multiple vulnerabilities - gentoo-announce

From:	Robert Buchholz <rbu@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200804-13 ] Asterisk: Multiple vulnerabilities
Date:	Mon, 14 Apr 2008 22:38:13
Message-Id:	`200804150031.26504.rbu@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200804-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Asterisk: Multiple vulnerabilities

9

      Date: April 14, 2008

10

      Bugs: #200792, #202733, #213883

11

        ID: 200804-13

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Asterisk allowing for SQL

19

injection, session hijacking and unauthorized usage.

20

21

Background

22

==========

23

24

Asterisk is an open source telephony engine and tool kit.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package            /  Vulnerable  /                    Unaffected

31

    -------------------------------------------------------------------

32

  1  net-misc/asterisk      < 1.2.27                         >= 1.2.27

33

34

Description

35

===========

36

37

Asterisk upstream developers reported multiple vulnerabilities:

38

39

* The Call Detail Record Postgres logging engine (cdr_pgsql) does not

40

  correctly escape the ANI and DNIS arguments before using them in SQL

41

  statements (CVE-2007-6170).

42

43

* When using database-based registrations ("realtime") and host-based

44

  authentication, Asterisk does not check the IP address when the

45

  username is correct and there is no password provided

46

  (CVE-2007-6430).

47

48

* The SIP channel driver does not correctly determine if

49

  authentication is required (CVE-2008-1332).

50

51

Impact

52

======

53

54

Remote authenticated attackers could send specially crafted data to

55

Asterisk to execute arbitrary SQL commands and compromise the

56

administrative database. Remote unauthenticated attackers could bypass

57

authentication using a valid username to hijack other user's sessions,

58

and establish sessions on the SIP channel without authentication.

59

60

Workaround

61

==========

62

63

There is no known workaround at this time.

64

65

Resolution

66

==========

67

68

All Asterisk users should upgrade to the latest version:

69

70

    # emerge --sync

71

    # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.27"

72

73

References

74

==========

75

76

  [ 1 ] CVE-2007-6170

77

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6170

78

  [ 2 ] CVE-2007-6430

79

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6430

80

  [ 3 ] CVE-2008-1332

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1332

82

83

Availability

84

============

85

86

This GLSA and any updates to it are available for viewing at

87

the Gentoo Security Website:

88

89

  http://security.gentoo.org/glsa/glsa-200804-13.xml

90

91

Concerns?

92

=========

93

94

Security is a primary focus of Gentoo Linux and ensuring the

95

confidentiality and security of our users machines is of utmost

96

importance to us. Any security concerns should be addressed to

97

security@g.o or alternatively, you may file a bug at

98

http://bugs.gentoo.org.

99

100

License

101

=======

102

103

Copyright 2008 Gentoo Foundation, Inc; referenced text

104

belongs to its owner(s).

105

106

The contents of this document are licensed under the

107

Creative Commons - Attribution / Share Alike license.

108

109

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200804-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Asterisk: Multiple vulnerabilities
9	Date: April 14, 2008
10	Bugs: #200792, #202733, #213883
11	ID: 200804-13
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Asterisk allowing for SQL
19	injection, session hijacking and unauthorized usage.
20
21	Background
22	==========
23
24	Asterisk is an open source telephony engine and tool kit.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-misc/asterisk < 1.2.27 >= 1.2.27
33
34	Description
35	===========
36
37	Asterisk upstream developers reported multiple vulnerabilities:
38
39	* The Call Detail Record Postgres logging engine (cdr_pgsql) does not
40	correctly escape the ANI and DNIS arguments before using them in SQL
41	statements (CVE-2007-6170).
42
43	* When using database-based registrations ("realtime") and host-based
44	authentication, Asterisk does not check the IP address when the
45	username is correct and there is no password provided
46	(CVE-2007-6430).
47
48	* The SIP channel driver does not correctly determine if
49	authentication is required (CVE-2008-1332).
50
51	Impact
52	======
53
54	Remote authenticated attackers could send specially crafted data to
55	Asterisk to execute arbitrary SQL commands and compromise the
56	administrative database. Remote unauthenticated attackers could bypass
57	authentication using a valid username to hijack other user's sessions,
58	and establish sessions on the SIP channel without authentication.
59
60	Workaround
61	==========
62
63	There is no known workaround at this time.
64
65	Resolution
66	==========
67
68	All Asterisk users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.27"
72
73	References
74	==========
75
76	[ 1 ] CVE-2007-6170
77	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6170
78	[ 2 ] CVE-2007-6430
79	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6430
80	[ 3 ] CVE-2008-1332
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1332
82
83	Availability
84	============
85
86	This GLSA and any updates to it are available for viewing at
87	the Gentoo Security Website:
88
89	http://security.gentoo.org/glsa/glsa-200804-13.xml
90
91	Concerns?
92	=========
93
94	Security is a primary focus of Gentoo Linux and ensuring the
95	confidentiality and security of our users machines is of utmost
96	importance to us. Any security concerns should be addressed to
97	security@g.o or alternatively, you may file a bug at
98	http://bugs.gentoo.org.
99
100	License
101	=======
102
103	Copyright 2008 Gentoo Foundation, Inc; referenced text
104	belongs to its owner(s).
105
106	The contents of this document are licensed under the
107	Creative Commons - Attribution / Share Alike license.
108
109	http://creativecommons.org/licenses/by-sa/2.5