AST-2018-008: PJSIP Endpoint Presence Disclosure When Using ACL

Home » Asterisk Users » AST-2018-008: PJSIP Endpoint Presence Disclosure When Using ACL
Asterisk Users No Comments

Asterisk Project Security Advisory – AST-2018-008

Product Asterisk
Summary PJSIP endpoint presence disclosure when using ACL
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Minor
Exploits Known No
Reported On April 19, 2018
Reported By John
Posted On June 11, 2018
Last Updated On June 11, 2018
Advisory Contact Rmudgett AT digium DOT com
CVE Name

Description When endpoint specific ACL rules block a SIP request they
respond with a 403 forbidden. However, if an endpoint is
not identified then a 401 unauthorized response is sent.
This vulnerability just discloses which requests hit a
defined endpoint. The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.

Resolution Endpoint specific ACL rules now respond with a 401 challenge
which is the same as if an endpoint were not identified. An
alternate is to use global ACL rules to avoid the
information disclosure.

Affected Versions
Product Release
Series
Asterisk Open Source 13.x 13.10.0 and later
Asterisk Open Source 14.x All releases
Asterisk Open Source 15.x All releases
Certified Asterisk 13.18 All releases
Certified Asterisk 13.21 All releases

Corrected In
Product Release
Asterisk Open Source 13.21.1, 14.7.7, 15.4.1
Certified Asterisk 13.18-cert4, 13.21-cert2

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2018-008-13.diff Asterisk
13
http://downloads.asterisk.org/pub/security/AST-2018-008-14.diff Asterisk
14
http://downloads.asterisk.org/pub/security/AST-2018-008-15.diff Asterisk
15
http://downloads.asterisk.org/pub/security/AST-2018-008-13.18.diff Certified
Asterisk
13.18
http://downloads.asterisk.org/pub/security/AST-2018-008-13.21.diff Certified
Asterisk
13.21

Links

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2018-008.pdf and
http://downloads.digium.com/pub/security/AST-2018-008.html

Revision History
Date Editor Revisions Made
May 1, 2018 Richard Mudgett Initial revision
June 11, 2018 Richard Mudgett Added Certified Asterisk 13.21

Asterisk Project Security Advisory – AST-2018-008
Copyright (c) 2018 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.