This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 853526 - (CVE-2012-4737) CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by cert...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120830,reported=2...
: Security
Depends On: 853527 853528 853531
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-31 15:38 EDT by Kurt Seifried
Modified: 2012-12-11 04:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-11 04:10:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-08-31 15:38:41 EDT
AST-2012-013

When an IAX2 call is made using the credentials of a peer defined in a dynamic
Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not
applied to the call attempt.  This allows for a remote attacker who is aware of a
peer's credentials to bypass the ACL rules set for that peer. 

This was originally reported by "Alan Frisch"

http://downloads.asterisk.org/pub/security/AST-2012-013.pdf
http://downloads.asterisk.org/pub/security/AST-2012-013.1.8.diff
http://downloads.asterisk.org/pub/security/AST-2012-013.10.diff
Comment 1 Kurt Seifried 2012-08-31 15:39:42 EDT
Created asterisk tracking bugs for this issue

Affects: fedora-16 [bug 853527]
Comment 2 Kurt Seifried 2012-08-31 15:40:15 EDT
Created asterisk tracking bugs for this issue

Affects: fedora-17 [bug 853528]
Comment 3 Kurt Seifried 2012-08-31 15:41:03 EDT
Created asterisk tracking bugs for this issue

Affects: epel-6 [bug 853531]
Comment 4 Kurt Seifried 2012-08-31 15:41:41 EDT
Please note: the links to the diffs are currently 404, emailed upstream.
Comment 5 Kurt Seifried 2012-12-11 04:10:16 EST
asterisk-1.8.18.0-1.el6 has been pushed to the Epel 6 repository.  If problems still persist, please make note of it in this bug report.

asterisk-1.8.18.0-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.

asterisk-10.10.0-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.