Bug 1404038 (CVE-2016-9938)

Summary: CVE-2016-9938 asterisk: Authentication Bypass due to improper content stripping
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: g.devel, itamar, jsmith.fedora, rbryant
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: asterisk 11.25.1, asterisk 13.13.1, asterisk 14.2.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:04:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1404039, 1404040    
Bug Blocks:    

Description Adam Mariš 2016-12-12 22:53:35 UTC 
The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as

Contact\x01:

will be seen as a valid Contact header.

This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication.

If you do not use a proxy for authentication, then this issue does not affect you.

If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you.

If you use chan_pjsip instead of chan_sip, then this issue does not affect you.

External Reference:

http://downloads.asterisk.org/pub/security/AST-2016-009.html
Comment 1 Adam Mariš 2016-12-12 22:54:47 UTC 
Created asterisk tracking bugs for this issue:

Affects: fedora-all [bug 1404039]
Affects: epel-6 [bug 1404040]
Comment 2 Product Security DevOps Team 2019-06-08 03:04:16 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.