安全研究
安全漏洞
Asterisk绕过呼叫认证漏洞
发布日期:2008-03-18
更新日期:2008-03-20
受影响系统:
Asterisk Asterisk 1.4.x不受影响系统:
Asterisk Asterisk 1.2.x
Asterisk Asterisk 1.0.x
Asterisk Business Edition C.x.x
Asterisk Business Edition B.x.x
Asterisk Business Edition A.x.x
Asterisk AsteriskNOW 1.0.x
Asterisk Appliance Developer Kit SVN
Asterisk s800i 1.0.x
Asterisk Asterisk 1.4.19-rc3描述:
Asterisk Asterisk 1.4.18.1
Asterisk Asterisk 1.2.27
Asterisk Business Edition C.1.6.2
Asterisk Business Edition B.2.5.1
Asterisk AsteriskNOW 1.0.2
Asterisk Appliance Developer Kit 1.4 revision 109393
Asterisk s800i 1.1.0.2
BUGTRAQ ID: 28310
CVE(CAN) ID: CVE-2008-1332
Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。
Asterisk在处理呼叫选项时存在漏洞,远程攻击者可能利用此漏洞执行非授权操作。
远程攻击者可以通过SIP通道驱动使用无效的From头执行非授权呼叫,这种操作类似于SIP配置选项allowguest=yes,也就是带有特制From头的呼叫会发送给sip.conf的通用部分所指定环境中的PBX。
<*来源:Jason Parker (jparker@digium.com)
链接:http://marc.info/?l=bugtraq&m=120593881802543&w=2
http://secunia.com/advisories/29426/
http://www.debian.org/security/2008/dsa-1525
http://security.gentoo.org/glsa/glsa-200804-13.xml
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1525-1)以及相应补丁:
DSA-1525-1:New asterisk packages fix several vulnerabilities
链接:http://www.debian.org/security/2008/dsa-1525
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch3.diff.gz
Size/MD5 checksum: 181527 6a98d3db7fd54a5dd082c692f3e50042
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz
Size/MD5 checksum: 3835589 f8ee088b2e4feffe2b35d78079f90b69
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch3.dsc
Size/MD5 checksum: 1488 181da0b7d5a604cd79be518e662b049b
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.2.13~dfsg-2etch3_all.deb
Size/MD5 checksum: 1500218 de67182dd31aef4878322327034ae0ae
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-2etch3_all.deb
Size/MD5 checksum: 1504782 6096881223aafe96ce1285b9be1a97ad
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.2.13~dfsg-2etch3_all.deb
Size/MD5 checksum: 131832 99911d22fb5fbf7f0520d28f0cd21af7
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-2etch3_all.deb
Size/MD5 checksum: 73928 0eaff6b096a03f0830a965ed21671557
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.2.13~dfsg-2etch3_all.deb
Size/MD5 checksum: 170126 26798a8026d05a9843a63fa3ac28488e
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch3_all.deb
Size/MD5 checksum: 146658 8fd6ec949bdd4fc072b4244f6c97642a
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_alpha.deb
Size/MD5 checksum: 1934760 0999adcecf044475a12d9300c8dc2c48
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_alpha.deb
Size/MD5 checksum: 137160 f1a2f55ed07f19114ea44639aa2be4a9
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_alpha.deb
Size/MD5 checksum: 1898628 637feeb1ac1b25f28330b808bd0597a1
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_amd64.deb
Size/MD5 checksum: 1780328 b2c4b1c62ebc4dc13a1ea53a5c842e96
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_amd64.deb
Size/MD5 checksum: 133354 1f58ef3241222af34a9ca717eff2c052
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_amd64.deb
Size/MD5 checksum: 1745634 bd5f2ee7c79247ee6f5944076b9f3442
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_arm.deb
Size/MD5 checksum: 1701818 9153b33c47b4eead77107cfdeb0055ae
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_arm.deb
Size/MD5 checksum: 1668398 a8d2cb491be92fbdb93ebda9e2f42c97
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_arm.deb
Size/MD5 checksum: 136514 3e64fa9e5d988a10244b9122b20c9454
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_hppa.deb
Size/MD5 checksum: 145336 7ab22793ce0794bd2058bed710055bed
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_hppa.deb
Size/MD5 checksum: 1869966 38318b647fe2fd8e083b50f6b288d8aa
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_hppa.deb
Size/MD5 checksum: 1830986 8b026f468a5a60aefeed67a43b04e759
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_i386.deb
Size/MD5 checksum: 1616600 65c4d9ef59dc45d7ab4eb91c8497a283
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_i386.deb
Size/MD5 checksum: 1650014 f119c7b228725648f953b84d2a2ee33c
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_i386.deb
Size/MD5 checksum: 131048 539ce1eb62c36817f34e9ca0cbfb84d7
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_ia64.deb
Size/MD5 checksum: 149818 695f2f9898e033f7623cb084bfa12b6d
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_ia64.deb
Size/MD5 checksum: 2349560 98635c3fb790ff46ea1c264cd8bec307
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_ia64.deb
Size/MD5 checksum: 2395588 f517fd2e2bd3138fa3d8fbeafb0cb32d
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_mips.deb
Size/MD5 checksum: 130306 36fdfbc5bc139efd896adacb7938f100
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_mips.deb
Size/MD5 checksum: 1720394 3941173413eafc9fb6fa534f43fe2d3b
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_mips.deb
Size/MD5 checksum: 1688738 d27395cebf31c20bd8e175c62652f170
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_mipsel.deb
Size/MD5 checksum: 1664252 e30c152fef3fa37ce958fb4d463e4b09
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_mipsel.deb
Size/MD5 checksum: 129804 2624ae4a755631fb733032a1c524daff
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_mipsel.deb
Size/MD5 checksum: 1696296 04e9239cc4109971f3651fc95d5db5ea
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_powerpc.deb
Size/MD5 checksum: 133180 08012ba08692b33b3f61ad01508288b1
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_powerpc.deb
Size/MD5 checksum: 1825580 631dfe6dfb72159b05d9e049995a1cce
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_powerpc.deb
Size/MD5 checksum: 1864102 c5d24242137540588cbcdd2c330b08e6
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_s390.deb
Size/MD5 checksum: 1744876 f4b432e9ea83929766d375aa8b859261
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_s390.deb
Size/MD5 checksum: 1780834 5f855e02a7b83eb9b786a2faa5133945
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_s390.deb
Size/MD5 checksum: 136696 6693c944ceeff566de18bac7a10c9ed2
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200804-13)以及相应补丁:
GLSA-200804-13:Asterisk: Multiple vulnerabilities
链接:http://security.gentoo.org/glsa/glsa-200804-13.xml
所有Asterisk用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.27"
Asterisk
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://downloads.digium.com/pub/telephony/asterisk
http://www.asterisknow.org/
浏览次数:3315
严重程度:0(网友投票)
绿盟科技给您安全的保障