On Monday 06 April 2009 19:22:30 Martin wrote: > Can you give more information about this vulnerability ?
It's unlikely that it's this vulnerability. Every Asterisk box allows guest access to the machine, by default. The context it goes to is generally the "default" context. This is what allows you to publish an addresses like sip:foo.example.com and have it get through to your company. There's no preexisting relationship between caller and callee; it's merely a method of contacting the machine. What is a vulnerability is the way that some people have configured this. They put in that context patterns that can dial out. There's nothing specifically wrong with this configuration, from an Asterisk perspective; however, in many cases, guest access is not what the administrator intended; thus, the machine may be used to make illicit outbound telephone calls by anybody who sends a SIP call to that machine. The recent vulnerability had nothing to do with this, but with the ability of an attacker to scan a SIP server for legitimate usernames and passwords. This, by the way, merely took advantage of the SIP protocol, as written. Normally, SIP allows you to differentiate between invalid usernames (404) and invalid passwords (403). What we closed in the recent vulnerability patch was to allow administrators to send back 403, regardless of whether the username existed or not. -- Tilghman _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users