Bug 1590209 (CVE-2018-12227) - CVE-2018-12227 asterisk: PJSIP endpoint presence disclosure when using ACL
Summary: CVE-2018-12227 asterisk: PJSIP endpoint presence disclosure when using ACL
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-12227
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1590212 1590213
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-12 08:31 UTC by Adam Mariš
Modified: 2021-02-17 00:08 UTC (History)
5 users (show)

Fixed In Version: asterisk 13.21.1, asterisk 14.7.7, asterisk 15.4.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-12 08:36:29 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2018-06-12 08:31:59 UTC
When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints.

External References:

http://downloads.asterisk.org/pub/security/AST-2018-008.html

Comment 1 Adam Mariš 2018-06-12 08:35:14 UTC
Created asterisk tracking bugs for this issue:

Affects: epel-6 [bug 1590212]
Affects: fedora-all [bug 1590213]


Note You need to log in before you can comment on or make changes to this bug.