Vulnerabilities > CVE-2008-1390 - Credentials Management vulnerability in Asterisk products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
asterisk
CWE-255
critical
nessus

Summary

The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-2620.NASL
    descriptionUpdate to 1.4.18.1 plus another patch to fix some security issues. AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling. * http://downloads.digium.com/pub/security/AST-2008-002.pdf * All users of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf. * http://downloads.digium.com/pub/security/AST-2008-003.pdf * All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected. AST-2008-005 details a problem in the way manager IDs are calculated. * http://downloads.digium.com/pub/security/AST-2008-005.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31667
    published2008-03-26
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31667
    titleFedora 7 : asterisk-1.4.18.1-1.fc7 (2008-2620)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-2620.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31667);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:27");
    
      script_cve_id("CVE-2008-1289", "CVE-2008-1332", "CVE-2008-1390");
      script_bugtraq_id(28310, 28316);
      script_xref(name:"FEDORA", value:"2008-2620");
    
      script_name(english:"Fedora 7 : asterisk-1.4.18.1-1.fc7 (2008-2620)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to 1.4.18.1 plus another patch to fix some security issues.
    AST-2008-002 details two buffer overflows that were discovered in RTP
    codec payload type handling. *
    http://downloads.digium.com/pub/security/AST-2008-002.pdf * All users
    of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a
    vulnerability which allows an attacker to bypass SIP authentication
    and to make a call into the context specified in the general section
    of sip.conf. *
    http://downloads.digium.com/pub/security/AST-2008-003.pdf * All users
    of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected. AST-2008-005
    details a problem in the way manager IDs are calculated. *
    http://downloads.digium.com/pub/security/AST-2008-005.pdf
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://downloads.digium.com/pub/security/AST-2008-002.pdf
      script_set_attribute(
        attribute:"see_also",
        value:"https://downloads.digium.com/pub/security/AST-2008-002.pdf"
      );
      # http://downloads.digium.com/pub/security/AST-2008-003.pdf
      script_set_attribute(
        attribute:"see_also",
        value:"https://downloads.digium.com/pub/security/AST-2008-003.pdf"
      );
      # http://downloads.digium.com/pub/security/AST-2008-005.pdf
      script_set_attribute(
        attribute:"see_also",
        value:"https://downloads.digium.com/pub/security/AST-2008-005.pdf"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=438127"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=438129"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=438131"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-March/008853.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6c5aa321"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected asterisk package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(119, 255, 264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC7", reference:"asterisk-1.4.18.1-1.fc7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-2554.NASL
    descriptionUpdate to 1.4.18.1 plus another patch to fix some security issues. AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling. * http://downloads.digium.com/pub/security/AST-2008-002.pdf * All users of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf. * http://downloads.digium.com/pub/security/AST-2008-003.pdf * All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected. AST-2008-005 details a problem in the way manager IDs are calculated. * http://downloads.digium.com/pub/security/AST-2008-005.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31664
    published2008-03-26
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31664
    titleFedora 8 : asterisk-1.4.18.1-1.fc8 (2008-2554)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-2554.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31664);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:27");
    
      script_cve_id("CVE-2008-1289", "CVE-2008-1332", "CVE-2008-1390");
      script_bugtraq_id(28310, 28316);
      script_xref(name:"FEDORA", value:"2008-2554");
    
      script_name(english:"Fedora 8 : asterisk-1.4.18.1-1.fc8 (2008-2554)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to 1.4.18.1 plus another patch to fix some security issues.
    AST-2008-002 details two buffer overflows that were discovered in RTP
    codec payload type handling. *
    http://downloads.digium.com/pub/security/AST-2008-002.pdf * All users
    of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a
    vulnerability which allows an attacker to bypass SIP authentication
    and to make a call into the context specified in the general section
    of sip.conf. *
    http://downloads.digium.com/pub/security/AST-2008-003.pdf * All users
    of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected. AST-2008-005
    details a problem in the way manager IDs are calculated. *
    http://downloads.digium.com/pub/security/AST-2008-005.pdf
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://downloads.digium.com/pub/security/AST-2008-002.pdf
      script_set_attribute(
        attribute:"see_also",
        value:"https://downloads.digium.com/pub/security/AST-2008-002.pdf"
      );
      # http://downloads.digium.com/pub/security/AST-2008-003.pdf
      script_set_attribute(
        attribute:"see_also",
        value:"https://downloads.digium.com/pub/security/AST-2008-003.pdf"
      );
      # http://downloads.digium.com/pub/security/AST-2008-005.pdf
      script_set_attribute(
        attribute:"see_also",
        value:"https://downloads.digium.com/pub/security/AST-2008-005.pdf"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=438127"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=438129"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=438131"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-March/008777.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f2e865c6"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected asterisk package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(119, 255, 264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC8", reference:"asterisk-1.4.18.1-1.fc8")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk");
    }
    

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 28316 CVE(CAN) ID: CVE-2008-1390 Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。 Asterisk计算管理器ID的方式存在错误,允许攻击者相对容易的预测很多HTTP查询所使用的管理器ID。 会话id是在AsteriskGUI HTTP服务器中生成的。当使用Glibc时,rand()和random()的实现和状态是共享的。Asterisk使用random()发布MD5 digest认证挑战并用malloc的指针rand()位或运算以生成AsteriskGUI会话标识符。攻击者可以通过检索32个连续的挑战同步到 random(),然后预测所有之后对random()和rand()调用的输出。由于malloc所返回的指针最多有21位的熵,因此攻击者仅需平均猜测1448个会话标识符就可以窃取已创建的会话。 Asterisk Asterisk 1.6.x Asterisk Asterisk 1.4.x Asterisk Business Edition C.x.x Asterisk AsteriskNOW pre-release Asterisk Appliance Developer Kit SVN Asterisk s800i 1.0.x Asterisk -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.asterisk.org/ target=_blank>http://www.asterisk.org/</a>
idSSV:3069
last seen2017-11-19
modified2008-03-21
published2008-03-21
reporterRoot
titleAsterisk可预测HTTP管理器会话ID漏洞