Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Daniel-Constantin Mierla
daniel at voice-system.ro
Wed Oct 17 09:19:09 UTC 2007
Hello,
On 10/17/07 11:25, Julien BLACHE wrote:
> Nico Golde <nion at debian.org> wrote:
>
> Hi,
>
>
>> CVE-2007-5469[0]:
>> | OpenSER 1.2.2 does not verify the Digest authentication header URI
>> | against the Request URI in SIP messages, which allows remote attackers
>> | to use sniffed Digest authentication credentials to call arbitrary
>> | telephone numbers or spoof caller ID (aka "toll fraud and
>> | authentication forward attack").
>>
>
> I can dig up the patch mentionned on full-disclosure, but it's only
> one part of the solution. The user needs to add the required logic in
> its config to actually "fix" the problem.
>
> Also it's not clear yet whether this also applies to OpenSER < 1.2,
> though the post on full-disclosure seems to imply that all versions
> prior to SVN 20071004 are affected.
>
Practically, the check can be done in all versions of openser>=1.0.0,
but a bit more complex. The update in the SVN just eases the check, by
making the digest URI directly available via a pseudo-variable.
The solution for older versions is:
- write the body if Authorization/Proxy-Authorization header in an AVP
via avp_printf()
- do an avp_subst() and substract the value of the digest URI in another AVP
- use avp_check() to check it against R-URI
The solution of letting the check in config file is to give more liberty
in performing it. Imagine that the proxies are behind a load balancer,
and the R-URI is changed by the LB, in that case all auth will fail. The
admin can add the initial R-URI in a special header at LB and in the
proxy compare that value with the digest URI. Embedding this check in
auth modules seemed too rigid.
Cheers,
Daniel
> JB.
>
>
More information about the Pkg-voip-maintainers
mailing list