Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Asterisk: Multiple vulnerabilities
Informations
Name GLSA-200804-13 First vendor Publication 2008-04-14
Vendor Gentoo Last vendor Modification 2008-04-14
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:N)
Cvss Base Score 8.8 Attack Range Network
Cvss Impact Score 9.2 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been found in Asterisk allowing for SQL injection, session hijacking and unauthorized usage.

Background

Asterisk is an open source telephony engine and tool kit.

Description

Asterisk upstream developers reported multiple vulnerabilities:

* The Call Detail Record Postgres logging engine (cdr_pgsql) does not correctly escape the ANI and DNIS arguments before using them in SQL statements (CVE-2007-6170).

* When using database-based registrations ("realtime") and host-based authentication, Asterisk does not check the IP address when the username is correct and there is no password provided (CVE-2007-6430).

* The SIP channel driver does not correctly determine if authentication is required (CVE-2008-1332).

Impact

Remote authenticated attackers could send specially crafted data to Asterisk to execute arbitrary SQL commands and compromise the administrative database. Remote unauthenticated attackers could bypass authentication using a valid username to hijack other user's sessions, and establish sessions on the SIP channel without authentication.

Workaround

There is no known workaround at this time.

Resolution

All Asterisk users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.27"

References

[ 1 ] CVE-2007-6170 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6170
[ 2 ] CVE-2007-6430 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6430
[ 3 ] CVE-2008-1332 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1332

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200804-13.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200804-13.xml

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-287 Improper Authentication
33 % CWE-264 Permissions, Privileges, and Access Controls
33 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18041
 
Oval ID: oval:org.mitre.oval:def:18041
Title: DSA-1417-1 asterisk - SQL injection
Description: Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitising of call-related data, which may lead to SQL injection.
Family: unix Class: patch
Reference(s): DSA-1417-1
CVE-2007-6170
 Version: 5
Platform(s): Debian GNU/Linux 4.0
 Product(s): asterisk
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 15
Application 11
Application 24
Application 5
Application 138
Application 7
Application 183
Os 2

OpenVAS Exploits

Date Description
2009-02-16 Name : Fedora Update for asterisk FEDORA-2008-2554
File : nvt/gb_fedora_2008_2554_asterisk_fc8.nasl
2009-02-16 Name : Fedora Update for asterisk FEDORA-2008-2620
File : nvt/gb_fedora_2008_2620_asterisk_fc7.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200804-13 (asterisk)
File : nvt/glsa_200804_13.nasl
2008-03-27 Name : Debian Security Advisory DSA 1525-1 (asterisk)
File : nvt/deb_1525_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1417-1 (asterisk)
File : nvt/deb_1417_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
43415 Asterisk SIP Channel Driver Unauthenticated Call Remote Privilege Escalation
39519 Asterisk Host Based Registration Database Security Bypass
38932 Asterisk Call Detail Record Postgres Multiple Strings SQL Injection

Nessus® Vulnerability Scanner

Date Description
2008-05-07 Name : It is possible to bypass authentication and make calls using the remote VoIP ...
File : asterisk_sip_auth_bypass.nasl - Type : ACT_ATTACK
2008-04-17 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200804-13.nasl - Type : ACT_GATHER_INFO
2008-04-17 Name : The remote openSUSE host is missing a security update.
File : suse_asterisk-5169.nasl - Type : ACT_GATHER_INFO
2008-03-26 Name : The remote Fedora host is missing a security update.
File : fedora_2008-2554.nasl - Type : ACT_GATHER_INFO
2008-03-26 Name : The remote Fedora host is missing a security update.
File : fedora_2008-2620.nasl - Type : ACT_GATHER_INFO
2008-03-21 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1525.nasl - Type : ACT_GATHER_INFO
2008-03-07 Name : The remote openSUSE host is missing a security update.
File : suse_asterisk-5062.nasl - Type : ACT_GATHER_INFO
2007-12-04 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1417.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:35:45
  • Multiple Updates