News
Vigil@nce: Asterisk, bypassing ACLs
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker, who is normally blocked by ACLs, can send SIP INVITE messages to Asterisk.
Severity: 2/4
Consequences: data flow
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 26/02/2010
IMPACTED PRODUCTS
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Asterisk program implements a VoIP service. A SIP INVITE message is used during the initialization of a VoIP session.
The sip.conf configuration file of Asterisk can contain rules
(ACLs with "permit" and "deny") to restrict clients which are
allowed to send SIP INVITE messages. For example:
deny=64.198.7.0/24 (notation CIDR)
deny=64.198.7.0/255.255.255.0 (notation dotted-decimal)
The acl.c file implements the CIDR notation using a 32 bit mask (mask<<(32-x)). However, if the indicated size is zero, the left shift of 32 bit is ignored. The resulting mask is thus invalid.
An attacker, who is normally blocked by a "x.x.x.x/0" ACL, can therefore send SIP INVITE messages to Asterisk.
CHARACTERISTICS
Identifiers: AST-2010-003, BID-38424, VIGILANCE-VUL-9476
