AST-2007-025 - SQL Injection issue in res_config_pgsql
From: Asterisk Security Team <security@digium.com.>
To: [email protected]
Subject: AST-2007-025 - SQL Injection issue in res_config_pgsql
Date: Thu, 29 Nov 2007 16:18:55 -0600
User-Agent: KMail/1.9.6
Organization: Asterisk Open Source
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200711291618.55308.security@digium.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
Asterisk Project Security Advisory - AST-2007-025
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SQL Injection issue in res_config_pgsql |
|----------------------+-------------------------------------------------|
| Nature of Advisory | SQL Injection |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Reported By | P. Chisteas <p_christ AT hol DOT gr> |
|----------------------+-------------------------------------------------|
| Posted On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Last Updated On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | Input buffers were not properly escaped when providing |
| | lookup data to the Postgres Realtime Engine. An attacker |
| | could potentially compromise the administrative database |
| | containing users' usernames and passwords used for SIP |
| | authentication, among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Workaround | Convert your installation to use res_config_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.0.x | None |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.2.x | None |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.4.x | 1.4.14 and previous |
| | | versions |
|------------------------------+-------------+---------------------------|
| Asterisk Business Edition | A.x.x | None |
|------------------------------+-------------+---------------------------|
| Asterisk Business Edition | B.x.x | None |
|------------------------------+-------------+---------------------------|
| AsteriskNOW | pre-release | None |
|------------------------------+-------------+---------------------------|
| Asterisk Appliance Developer | 0.x.x | None |
| Kit | | |
|------------------------------+-------------+---------------------------|
| s800i (Asterisk Appliance) | 1.0.x | None |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.4.15 |
|------------------------------------------+-----------------------------|
|------------------------------------------+-----------------------------|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-025.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-025.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+------------------------+-----------------------------|
| 2007-11-29 | Tilghman Lesher | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2007-025
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
