|
|
|
Credit:
The information has been provided by Jason Parker.
The original article can be found at: http://downloads.digium.com/pub/security/AST-2008-003.html
|
|
Vulnerable Systems:
* Asterisk Open Source version 1.0.x
* Asterisk Open Source versions prior to 1.2.27
* Asterisk Open Source versions prior to 1.4.18.1 and 1.4.19-rc3
* Asterisk Business Edition version A.x.x
* Asterisk Business Edition versions prior to B.2.5.1
* Asterisk Business Edition versions prior to C.1.6.2
* AsteriskNOW versions prior to 1.0.2
Asterisk Appliance Developer Kit versions prior to Asterisk 1.4 revision 109393
* s800i (Asterisk Appliance) versions prior to 1.1.0.2
Immune Systems:
* Asterisk Open Source version 1.2.27, Asterisk Open Source version 1.4.18.1 or Asterisk Open Source version 1.4.19-rc3
* Asterisk Business Edition version B.2.5.1 or Asterisk Business Edition version C.1.6.2
* AsteriskNOW version 1.0.
* Asterisk Appliance Developer Kit version 1.4 revision 109393
* s800i (Asterisk Appliance) version 1.1.0.2
Resolution:
A fix has been added which checks for the option 'allowguest' to be enabled before determining that authentication is not required.
As a workaround, modify the context in the general section of sip.conf to point to a non-trusted location (example: a non-existent context, or a context that does nothing but hang up the call).
CVE Information:
CVE-2008-1332
|
|
|
|