Vulnerabilities > CVE-2008-1390 - Credentials Management vulnerability in Asterisk products

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

asterisk

CWE-255

critical

nessus

NVD

Published: 2008-03-24

Updated: 2018-10-11

Summary

The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.

Vulnerable Configurations

Part	Description	Count
Application	Asterisk Asterisk Asterisk 1.4.1 Asterisk Asterisk 1.4.2 Asterisk Asterisk 1.4.3 Asterisk Asterisk 1.4.4 Asterisk Asterisk 1.4.5 Asterisk Asterisk 1.4.6 Asterisk Asterisk 1.4.7 Asterisk Asterisk 1.4.8 Asterisk Asterisk 1.4.9 Asterisk Asterisk 1.4.10 Asterisk Asterisk 1.4.11 Asterisk Asterisk 1.4.12 Asterisk Asterisk 1.4.13 Asterisk Asterisk 1.4.14 Asterisk Asterisk 1.4.15 Asterisk Asterisk 1.4.16 Asterisk Asterisk 1.4.17 Asterisk Asterisk 1.4.18.1 Asterisk Asterisk 1.4_Beta Asterisk Asterisk 1.4_Revision_95946 Asterisk Asterisk 1.6 Asterisk Asterisk Appliance Developer KIT 0.2 Asterisk Asterisk Appliance Developer KIT 0.3 Asterisk Asterisk Appliance Developer KIT 0.4 Asterisk Asterisk Appliance Developer KIT 0.5 Asterisk Asterisk Appliance Developer KIT 0.6 Asterisk Asterisk Appliance Developer KIT 0.7 Asterisk Asterisk Appliance Developer KIT 0.8 Asterisk Asterisk Appliance Developer KIT 1.4 Asterisk Asterisk Business Edition C.1.0-Beta7 Asterisk Asterisk Business Edition C.1.0-Beta8 Asterisk Asterisknow 1.0 Asterisk Asterisknow Beta_5 Asterisk Asterisknow Beta_6 Asterisk Asterisknow Beta_7 Asterisk S800I 1.0 Asterisk S800I 1.0.1 Asterisk S800I 1.0.2 Asterisk S800I 1.0.3 Asterisk S800I 1.1.0	40

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

Nessus

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-2620.NASL
description	Update to 1.4.18.1 plus another patch to fix some security issues. AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling. * http://downloads.digium.com/pub/security/AST-2008-002.pdf * All users of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf. * http://downloads.digium.com/pub/security/AST-2008-003.pdf * All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected. AST-2008-005 details a problem in the way manager IDs are calculated. * http://downloads.digium.com/pub/security/AST-2008-005.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	31667
published	2008-03-26
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/31667
title	Fedora 7 : asterisk-1.4.18.1-1.fc7 (2008-2620)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-2620. # include("compat.inc"); if (description) { script_id(31667); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:27"); script_cve_id("CVE-2008-1289", "CVE-2008-1332", "CVE-2008-1390"); script_bugtraq_id(28310, 28316); script_xref(name:"FEDORA", value:"2008-2620"); script_name(english:"Fedora 7 : asterisk-1.4.18.1-1.fc7 (2008-2620)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 1.4.18.1 plus another patch to fix some security issues. AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling. * http://downloads.digium.com/pub/security/AST-2008-002.pdf * All users of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf. * http://downloads.digium.com/pub/security/AST-2008-003.pdf * All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected. AST-2008-005 details a problem in the way manager IDs are calculated. * http://downloads.digium.com/pub/security/AST-2008-005.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://downloads.digium.com/pub/security/AST-2008-002.pdf script_set_attribute( attribute:"see_also", value:"https://downloads.digium.com/pub/security/AST-2008-002.pdf" ); # http://downloads.digium.com/pub/security/AST-2008-003.pdf script_set_attribute( attribute:"see_also", value:"https://downloads.digium.com/pub/security/AST-2008-003.pdf" ); # http://downloads.digium.com/pub/security/AST-2008-005.pdf script_set_attribute( attribute:"see_also", value:"https://downloads.digium.com/pub/security/AST-2008-005.pdf" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438127" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438129" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438131" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-March/008853.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6c5aa321" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119, 255, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7"); script_set_attribute(attribute:"patch_publication_date", value:"2008/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC7", reference:"asterisk-1.4.18.1-1.fc7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-2554.NASL
description	Update to 1.4.18.1 plus another patch to fix some security issues. AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling. * http://downloads.digium.com/pub/security/AST-2008-002.pdf * All users of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf. * http://downloads.digium.com/pub/security/AST-2008-003.pdf * All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected. AST-2008-005 details a problem in the way manager IDs are calculated. * http://downloads.digium.com/pub/security/AST-2008-005.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	31664
published	2008-03-26
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/31664
title	Fedora 8 : asterisk-1.4.18.1-1.fc8 (2008-2554)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-2554. # include("compat.inc"); if (description) { script_id(31664); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:27"); script_cve_id("CVE-2008-1289", "CVE-2008-1332", "CVE-2008-1390"); script_bugtraq_id(28310, 28316); script_xref(name:"FEDORA", value:"2008-2554"); script_name(english:"Fedora 8 : asterisk-1.4.18.1-1.fc8 (2008-2554)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 1.4.18.1 plus another patch to fix some security issues. AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling. * http://downloads.digium.com/pub/security/AST-2008-002.pdf * All users of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf. * http://downloads.digium.com/pub/security/AST-2008-003.pdf * All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected. AST-2008-005 details a problem in the way manager IDs are calculated. * http://downloads.digium.com/pub/security/AST-2008-005.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://downloads.digium.com/pub/security/AST-2008-002.pdf script_set_attribute( attribute:"see_also", value:"https://downloads.digium.com/pub/security/AST-2008-002.pdf" ); # http://downloads.digium.com/pub/security/AST-2008-003.pdf script_set_attribute( attribute:"see_also", value:"https://downloads.digium.com/pub/security/AST-2008-003.pdf" ); # http://downloads.digium.com/pub/security/AST-2008-005.pdf script_set_attribute( attribute:"see_also", value:"https://downloads.digium.com/pub/security/AST-2008-005.pdf" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438127" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438129" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438131" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-March/008777.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f2e865c6" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119, 255, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8"); script_set_attribute(attribute:"patch_publication_date", value:"2008/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^8([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC8", reference:"asterisk-1.4.18.1-1.fc8")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 28316 CVE(CAN) ID: CVE-2008-1390 Asterisk是开放源码的软件PBX，支持各种VoIP协议和设备。 Asterisk计算管理器ID的方式存在错误，允许攻击者相对容易的预测很多HTTP查询所使用的管理器ID。会话id是在AsteriskGUI HTTP服务器中生成的。当使用Glibc时，rand()和random()的实现和状态是共享的。Asterisk使用random()发布MD5 digest认证挑战并用malloc的指针rand()位或运算以生成AsteriskGUI会话标识符。攻击者可以通过检索32个连续的挑战同步到 random()，然后预测所有之后对random()和rand()调用的输出。由于malloc所返回的指针最多有21位的熵，因此攻击者仅需平均猜测1448个会话标识符就可以窃取已创建的会话。 Asterisk Asterisk 1.6.x Asterisk Asterisk 1.4.x Asterisk Business Edition C.x.x Asterisk AsteriskNOW pre-release Asterisk Appliance Developer Kit SVN Asterisk s800i 1.0.x Asterisk -------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://www.asterisk.org/ target=_blank>http://www.asterisk.org/</a>
id	SSV:3069
last seen	2017-11-19
modified	2008-03-21
published	2008-03-21
reporter	Root
title	Asterisk可预测HTTP管理器会话ID漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Seebug

References