Vigil@nce: Asterisk, bypassing ACLs
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker, who is normally blocked by ACLs, can send SIP INVITE
messages to Asterisk.
Severity: 2/4
Consequences: data flow
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 26/02/2010
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Asterisk program implements a VoIP service. A SIP INVITE
message is used during the initialization of a VoIP session.
The sip.conf configuration file of Asterisk can contain rules
(ACLs with "permit" and "deny") to restrict clients which are
allowed to send SIP INVITE messages. For example:
deny=64.198.7.0/24 (notation CIDR)
deny=64.198.7.0/255.255.255.0 (notation dotted-decimal)
The acl.c file implements the CIDR notation using a 32 bit mask
(mask<<(32-x)). However, if the indicated size is zero, the left
shift of 32 bit is ignored. The resulting mask is thus invalid.
An attacker, who is normally blocked by a "x.x.x.x/0" ACL, can
therefore send SIP INVITE messages to Asterisk.
CHARACTERISTICS
Identifiers: AST-2010-003, BID-38424, VIGILANCE-VUL-9476
http://vigilance.fr/vulnerability/Asterisk-bypassing-ACLs-9476