| <?xml version="1.0" encoding="utf-8"?> |
| <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> |
| |
| <glsa id="200804-13"> |
| <title>Asterisk: Multiple vulnerabilities</title> |
| <synopsis> |
| Multiple vulnerabilities have been found in Asterisk allowing for SQL |
| injection, session hijacking and unauthorized usage. |
| </synopsis> |
| <product type="ebuild">asterisk</product> |
| <announced>April 14, 2008</announced> |
| <revised>April 14, 2008: 01</revised> |
| <bug>200792</bug> |
| <bug>202733</bug> |
| <bug>213883</bug> |
| <access>remote</access> |
| <affected> |
| <package name="net-misc/asterisk" auto="yes" arch="*"> |
| <unaffected range="ge">1.2.27</unaffected> |
| <vulnerable range="lt">1.2.27</vulnerable> |
| </package> |
| </affected> |
| <background> |
| <p> |
| Asterisk is an open source telephony engine and tool kit. |
| </p> |
| </background> |
| <description> |
| <p> |
| Asterisk upstream developers reported multiple vulnerabilities: |
| </p> |
| <ul> |
| <li>The Call Detail Record Postgres logging engine (cdr_pgsql) |
| does not correctly escape the ANI and DNIS arguments before using them |
| in SQL statements (CVE-2007-6170).</li> |
| <li>When using database-based |
| registrations ("realtime") and host-based authentication, Asterisk does |
| not check the IP address when the username is correct and there is no |
| password provided (CVE-2007-6430).</li> |
| <li>The SIP channel driver does |
| not correctly determine if authentication is required |
| (CVE-2008-1332).</li> |
| </ul> |
| </description> |
| <impact type="normal"> |
| <p> |
| Remote authenticated attackers could send specially crafted data to |
| Asterisk to execute arbitrary SQL commands and compromise the |
| administrative database. Remote unauthenticated attackers could bypass |
| authentication using a valid username to hijack other user's sessions, |
| and establish sessions on the SIP channel without authentication. |
| </p> |
| </impact> |
| <workaround> |
| <p> |
| There is no known workaround at this time. |
| </p> |
| </workaround> |
| <resolution> |
| <p> |
| All Asterisk users should upgrade to the latest version: |
| </p> |
| <code> |
| # emerge --sync |
| # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.27"</code> |
| </resolution> |
| <references> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6170">CVE-2007-6170</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6430">CVE-2007-6430</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1332">CVE-2008-1332</uri> |
| </references> |
| <metadata tag="requester" timestamp="Sat, 29 Mar 2008 20:11:29 +0000"> |
| keytoaster |
| </metadata> |
| <metadata tag="bugReady" timestamp="Thu, 03 Apr 2008 14:50:06 +0000"> |
| rbu |
| </metadata> |
| <metadata tag="submitter" timestamp="Mon, 07 Apr 2008 07:59:17 +0000"> |
| rbu |
| </metadata> |
| </glsa> |