AST-2014-012: Mixed IP Address Families In Access Control Lists May Permit Unwanted Traffic.

Home » Asterisk Users » AST-2014-012: Mixed IP Address Families In Access Control Lists May Permit Unwanted Traffic.
Asterisk Users No Comments

Asterisk Project Security Advisory – AST-2014-012

Product Asterisk
Summary Mixed IP address families in access control lists
may permit unwanted traffic.
Nature of Advisory Unauthorized Access
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known No
Reported On 25 October, 2014
Reported By Andreas Steinmetz
Posted On 20 November, 2014
Last Updated On November 20, 2014
Advisory Contact Mark Michelson
CVE Name Pending

Description Many modules in Asterisk that service incoming IP traffic
have ACL options (“permit” and “deny”) that can be used to
whitelist or blacklist address ranges. A bug has been
discovered where the address family of incoming packets is
only compared to the IP address family of the first entry
in the list of access control rules. If the source IP
address for an incoming packet is not of the same address
family as the first ACL entry, that packet bypasses all ACL
rules. For ACLs whose rules are all of the same address
family, there is no issue.

Note that while the incoming packet may bypass ACL rules,
the packet is still subject to any authentication
requirements that the specific protocol employs.

This issue affects the following parts of Asterisk

* All VoIP channel drivers

* DUNDi

* Asterisk Manager Interface (AMI)

Resolution The ACL code has been amended to compare the incoming
packet’s source address family against the address families
for all rules.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Asterisk Open Source 13.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions

Corrected In
Product Release
Asterisk Open Source 1.8.32.1, 11.14.1, 12.7.1, 13.0.1
Certified Asterisk 1.8.28-cert3, 11.6-cert8

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-012-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-012-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2014-012-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-012-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2014-012-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-012-13.diff Asterisk
13

Links https://issues.asterisk.org/jira/browse/ASTERISK-24469

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-012.pdf and
http://downloads.digium.com/pub/security/AST-2014-012.html

Revision History
Date Editor Revisions Made
5 November, 2014 Mark Michelson Initial Advisory created

Asterisk Project Security Advisory – AST-2014-012
Copyright (c) 2014 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.