Bug#670180: CVE-2012-2414 CVE-2012-2415 CVE-2012-2416

Tue Apr 24 06:22:20 UTC 2012

Hi,

Working on it,

On Mon, Apr 23, 2012 at 08:55:58PM +0200, Moritz Muehlenhoff wrote:
> Package: asterisk
> Severity: grave
> Tags: security

At first glance:

> 
> CVE-2012-2414 http://downloads.asterisk.org/pub/security/AST-2012-004.html

This is for both Squeeze and Wheezy/Sid.

The recommended fix in Wheezy/Sid is to upgrade to 1.8.11.1 .

This complements AST-2011-006 (and, ahem, copies code from it).

Scope is the same:

* The attacker needs to already have access to a manager interface
  account (not unplausable, given that in many cases the security hole
  is actually in a web interface that controls Asterisk through the
  manager interface).

* This hole only gives extra permissions is the sysadmin did not
  provide them (and in just about anywhere people just grant all manager
  interface permissions.

But yeah, this should be fixed for those who properly use the manager
interface.

> 
> CVE-2012-2415 http://downloads.asterisk.org/pub/security/AST-2012-005.html

Skinny is a nickname for SCCP, a propriatary used by some CISCO phones.
So most people don't need it. That said, the module is enabled by
default and it listens on TCP port 2000 by default.

However exploting this seems to require a configured Skinny device (in
e.g. /etc/asterisk/skinny.conf ), so it probably won't work on most
systems (e.g. a random system that has both UDP port 4569 open and TCP
port 2000 open).

> 
> CVE-2012-2416 http://downloads.asterisk.org/pub/security/AST-2012-006.html

This seems to only require the remote attacker to be able to establish a
SIP call to Asterisk. Either being authenticated or as a guest if guests
are allowed.

Only applies to Wheezy/Sid: the code in Squeeze does not seem to support
UPDATE.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir