lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 Nov 2019 16:45:55 -0600
From: "Asterisk Security Team" <>
Subject: AST-2019-006: SIP request can change address of a SIP peer.

               Asterisk Project Security Advisory - AST-2019-006

         Product        Asterisk                                              
         Summary        SIP request can change address of a SIP peer.         
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Minor                                                 
      Exploits Known    No                                                    
       Reported On      October 17, 2019                                      
       Reported By      Andrey V. T.                                          
        Posted On       November 21, 2019                                     
     Last Updated On    November 21, 2019                                     
     Advisory Contact   bford AT sangoma DOT com                              
         CVE Name       CVE-2019-18790                                        

      Description     A SIP request can be sent to Asterisk that can change   
                      a SIP peer���s IP address. A REGISTER does not need to    
                      occur, and calls can be hijacked as a result. The only  
                      thing that needs to be known is the peer���s name;        
                      authentication details such as passwords do not need    
                      to be known. This vulnerability is only exploitable     
                      when the ���nat��� option is set to the default, or         
    Modules Affected  channels/chan_sip.c                                     

    Resolution  Using any other option value for ���nat��� will prevent the       
                attack (such as ���nat=no��� or ���nat=force_rport���), but will      
                need to be tested on an individual basis to ensure that it    
                works for the user���s deployment. On the fixed versions of     
                Asterisk, it will no longer set the address of the peer       
                before authentication is successful when a SIP request comes  

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  13.x    All releases  
                  Asterisk Open Source                  16.x    All releases  
                  Asterisk Open Source                  17.x    All releases  
                   Certified Asterisk                   13.21   All releases  

                                  Corrected In                   
                              Product                              Release    
                       Asterisk Open Source                        13.29.2    
                       Asterisk Open Source                        16.6.2     
                       Asterisk Open Source                        17.0.1     
                        Certified Asterisk                       13.21-cert5  

                               SVN URL                                Revision    Asterisk 13    Asterisk 16    Asterisk 17 Certified   


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History
          Date          Editor                 Revisions Made                 
    October 22, 2019   Ben Ford  Initial Revision                             
    November 14, 2019  Ben Ford  Corrected and updated fields for             
                                 versioning, and added CVE                    
    November 21, 2019  Ben Ford  Added ���Posted On��� date                       

               Asterisk Project Security Advisory - AST-2019-006
               Copyright �� 2019 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Powered by blists - more mailing lists