[SR-Users] Asterisk Security Advisory (AST-2016-009)

Fred Posner fred at palner.com
Fri Dec 9 00:05:39 CET 2016 

Thank you for the post-- definitely appreciate you sharing it on this list.

--fred

On 12/8/16 6:02 PM, Matthew Jordan wrote:
> Hey all -
>
> The Asterisk project just released a security advisory for a security
> vulnerability in which Asterisk using chan_sip with a proxy can allow for
> unauthenticated calls. This affects all supported versions of Asterisk (11,
> 13, 14). Since that may be relevant to those on this mailing list who are
> not also on the asterisk-users mailing list, I thought it prudent to
> mention it here as well.
>
> A description of the vulnerability follows:
>
>     Description  The chan_sip channel driver has a liberal definition for
>                  whitespace when attempting to strip the content between a
>                  SIP header name and a colon character. Rather than
>                  following RFC 3261 and stripping only spaces and horizontal
>                  tabs, Asterisk treats any non-printable ASCII character as
>                  if it were whitespace. This means that headers such as
>
>                  Contact\x01:
>
>                  will be seen as a valid Contact header.
>
>                  This mostly does not pose a problem until Asterisk is
>                  placed in tandem with an authenticating SIP proxy. In such
>                  a case, a crafty combination of valid and invalid To
>                  headers can cause a proxy to allow an INVITE request into
>                  Asterisk without authentication since it believes the
>                  request is an in-dialog request. However, because of the
>                  bug described above, the request will look like an
>                  out-of-dialog request to Asterisk. Asterisk will then
>                  process the request as a new call. The result is that
>                  Asterisk can process calls from unvetted sources without
>                  any authentication.
>
>                  If you do not use a proxy for authentication, then this
>                  issue does not affect you.
>
>                  If your proxy is dialog-aware (meaning that the proxy keeps
>                  track of what dialogs are currently valid), then this issue
>                  does not affect you.
>
>                  If you use chan_pjsip instead of chan_sip, then this issue
>                  does not affect you.
>
>
> The announcement can be seen here:
>
> http://lists.digium.com/pipermail/asterisk-announce/2016-December/000662.html
>
> Thanks again to Walter Doekes for reporting the vulnerability and providing
> the patch to fix it.
>
> Matt
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>

More information about the sr-users mailing list