ACL not respected on SIP INVITE

Bug #491632 reported by Dave Walker on 2009-12-02
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
asterisk (Ubuntu)
Undecided
Dave Walker
Karmic
Undecided
Dave Walker

Bug Description

Binary package hint: asterisk

A missing ACL check for handling SIP INVITEs allows a device to make calls on networks intended to be prohibited as defined by the "deny" and "permit" lines in sip.conf. The ACL check for handling SIP registrations was not affected.

http://downloads.asterisk.org/pub/security/AST-2009-007.html

Dave Walker (davewalker) on 2009-12-02
Changed in asterisk (Ubuntu):
assignee: nobody → Dave Walker (davewalker)
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2009-3723

visibility: private → public
Changed in asterisk (Ubuntu):
status: New → Confirmed
Changed in asterisk (Ubuntu Karmic):
status: New → Confirmed
Dave Walker (davewalker) on 2009-12-02
Changed in asterisk (Ubuntu Karmic):
assignee: nobody → Dave Walker (davewalker)
Dave Walker (davewalker) on 2009-12-03
Changed in asterisk (Ubuntu Karmic):
status: Confirmed → In Progress
Dave Walker (davewalker) wrote :

The attached debdiff resolves this bug and #491637 for Karmic. It's using patches derived from upstream, and builds cleanly. I have tested installation and basic functionality. I have not tried to reproduce the known exploit for one of the bugs.

There is also a minor string change in the ubuntu-banner patch to make the suggested reporting URL more correct.

If this debdiff is accepted into-security, i'll prepare other ones for targeted releases for #491637.

Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff! It looks good, though I'd prefer:
1. it use http://dep.debian.net/deps/dep3/
2. you remove the unicode from the patch description
3. you not change the banner (edge does work after all)

I don't feel super strongly about fixing the banner, but it seems more like something to just leave alone. Other than these minor changes, it looks great. Thanks for you hard work on this!

Marking Triaged. Please set back to In Progress after resubmitting for Karmic.

Changed in asterisk (Ubuntu Karmic):
status: In Progress → Triaged
Dave Walker (davewalker) wrote :

Also includes resolution to #493555

Changed in asterisk (Ubuntu Karmic):
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

Dave,

Thanks again for your patch. It looks great with one exception: the patch file names should be appended to debian/patches/series, not prepended. If you haven't already, I suggest becoming familiar with https://wiki.ubuntu.com/PackagingGuide/Complete which will help you use quilt to manage the series file for you.

I made this change and uploaded to the security PPA. I'll push it out when it is done building.

Thanks again!

Changed in asterisk (Ubuntu Karmic):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Dave,

I forgot to mention, when you submit debdiffs for the other releases, please nominate for release and mark In Progress for each debdiff submitted. Thanks again!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package asterisk - 1:1.6.2.0~rc2-0ubuntu1.1

---------------
asterisk (1:1.6.2.0~rc2-0ubuntu1.1) karmic-security; urgency=low

  * SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
    - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
      check ACL for handling SIP INVITEs. This blocks calls on networks
      intended to be prohibited, by configuration. Based on upstream patch.
    - AST-2009-007
    - CVE-2009-3723
  * SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
    - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
      to stop a specially crafted series of requests returning valid usernames.
      Based on upstream patch.
    - AST-2009-008
    - CVE-2009-3727
  * SECURITY UPDATE: RTP Remote Crash Vulnerability (LP: #493555).
    - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
      comfort noise payload containing 24 bytes or greater is recieved.
    - AST-2009-010
    - CVE-2009-4055
 -- Dave Walker (Daviey) <email address hidden> Mon, 07 Dec 2009 12:23:36 +0000

Changed in asterisk (Ubuntu Karmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package asterisk - 1:1.6.2.0~rc2-0ubuntu2

---------------
asterisk (1:1.6.2.0~rc2-0ubuntu2) lucid; urgency=low

  [ Dave Walker (Daviey) ]
  * SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
    - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
      check ACL for handling SIP INVITEs. This blocks calls on networks
      intended to be prohibited, by configuration. Based on upstream patch.
    - AST-2009-007
    - CVE-2009-3723
  * SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
    - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
      to stop a specially crafted series of requests returning valid usernames.
      Based on upstream patch.
    - AST-2009-008
    - CVE-2009-3727
  * SECURITY UPDATE: RTP Remote Crash Vulnerability (LP: #493555).
    - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
      comfort noise payload containing 24 bytes or greater is recieved.
    - AST-2009-010
    - CVE-2009-4055

  [ Roberto D'Auria ]
  * debian/patches/iax2-heavy-traffic-fix: Stops asterisk crashing on
    heavy traffic on iax2 channel, editing channels/chan_iax2.c.
    Based on upstream patch. (LP: #501116)
 -- Roberto D'Auria <email address hidden> Wed, 30 Dec 2009 14:49:24 +0100

Changed in asterisk (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers