ID UB:CVE-2010-1224 Type ubuntucve Reporter ubuntu.com Modified 2010-04-01T00:00:00
Description
main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before
1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce remote host
access controls when CIDR notation "/0" is used in permit= and deny=
configuration rules, which causes an improper arithmetic shift and might
allow remote attackers to bypass ACL rules and access services from
unauthorized hosts.
{"openvas": [{"lastseen": "2019-05-29T18:40:07", "description": "Asterisk is prone to a security-bypass vulnerability.", "cvss3": {}, "published": "2010-03-02T00:00:00", "type": "openvas", "title": "Asterisk CIDR Notation in Access Rule Remote Security Bypass Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1224"], "modified": "2016-12-30T00:00:00", "id": "OPENVAS:1361412562310100513", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100513", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: asterisk_38424.nasl 4887 2016-12-30 12:54:28Z cfi $\n#\n# Asterisk CIDR Notation in Access Rule Remote Security Bypass Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:digium:asterisk';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100513\");\n script_version(\"$Revision: 4887 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-30 13:54:28 +0100 (Fri, 30 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-02 12:58:40 +0100 (Tue, 02 Mar 2010)\");\n script_bugtraq_id(38424);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-1224\");\n script_name(\"Asterisk CIDR Notation in Access Rule Remote Security Bypass Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_asterisk_detect.nasl\");\n script_mandatory_keys(\"Asterisk-PBX/Ver\", \"Asterisk-PBX/Installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/38424\");\n script_xref(name:\"URL\", value:\"http://www.asterisk.org/\");\n script_xref(name:\"URL\", value:\"http://downloads.asterisk.org/pub/security/AST-2010-003.html\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for details.\");\n\n script_tag(name:\"summary\", value:\"Asterisk is prone to a security-bypass vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue to bypass access control list (ACL)\n rules, which may lead to other attacks.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_proto( cpe:CPE, port:port ) ) exit( 0 );\n\nversion = infos[\"version\"];\nproto = infos[\"proto\"];\n\nif( version_in_range( version:version, test_version:\"1.6.1\", test_version2:\"1.6.1.16\" ) ||\n version_in_range( version:version, test_version:\"1.6.0\", test_version2:\"1.6.0.24\" ) ||\n version_in_range( version:version, test_version:\"1.6.2\", test_version2:\"1.6.2.4\" ) ) {\n report = report_fixed_ver( installed_version:version, fixed_version:\"See references\" );\n security_message( port:port, data:report, protocol:proto );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-05-15T07:30:05", "description": "main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce remote host access controls when CIDR notation \"/0\" is used in permit= and deny= configuration rules, which causes an improper arithmetic shift and might allow remote attackers to bypass ACL rules and access services from unauthorized hosts.", "cvss3": {}, "published": "2010-04-01T21:30:00", "type": "debiancve", "title": "CVE-2010-1224", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1224"], "modified": "2010-04-01T21:30:00", "id": "DEBIANCVE:CVE-2010-1224", "href": "https://security-tracker.debian.org/tracker/CVE-2010-1224", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T11:50:05", "description": "main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce remote host access controls when CIDR notation \"/0\" is used in permit= and deny= configuration rules, which causes an improper arithmetic shift and might allow remote attackers to bypass ACL rules and access services from unauthorized hosts.", "cvss3": {}, "published": "2010-04-01T21:30:00", "type": "cve", "title": "CVE-2010-1224", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1224"], "modified": "2018-10-10T19:56:00", "cpe": ["cpe:/a:digium:asterisk:1.6.0.14", "cpe:/a:digium:asterisk:1.6.0.16", "cpe:/a:digium:asterisk:1.6.0.13", "cpe:/a:digium:asterisk:1.6.2.4", "cpe:/a:digium:asterisk:1.6.2.2", "cpe:/a:digium:asterisk:1.6.0.20", "cpe:/a:digium:asterisk:1.6.0.15", "cpe:/a:digium:asterisk:1.6.0.9", "cpe:/a:digium:asterisk:1.6.1.5", "cpe:/a:digium:asterisk:1.6.0.23", "cpe:/a:digium:asterisk:1.6.0.7", "cpe:/a:digium:asterisk:1.6.1.7", "cpe:/a:digium:asterisk:1.6.0.24", "cpe:/a:digium:asterisk:1.6.1", "cpe:/a:digium:asterisk:1.6.1.4", "cpe:/a:digium:asterisk:1.6.1.15", "cpe:/a:digium:asterisk:1.6.0.18", "cpe:/a:digium:asterisk:1.6.0", "cpe:/a:digium:asterisk:1.6.0.12", "cpe:/a:digium:asterisk:1.6.1.10", "cpe:/a:digium:asterisk:1.6.1.1", "cpe:/a:digium:asterisk:1.6.1.6", "cpe:/a:digium:asterisk:1.6.0.17", "cpe:/a:digium:asterisk:1.6.0.1", "cpe:/a:digium:asterisk:1.6.0.5", "cpe:/a:digium:asterisk:1.6.1.9", "cpe:/a:digium:asterisk:1.6.0.19", "cpe:/a:digium:asterisk:1.6.1.16", "cpe:/a:digium:asterisk:1.6.2.3", "cpe:/a:digium:asterisk:1.6.0.3", "cpe:/a:digium:asterisk:1.6.1.12", "cpe:/a:digium:asterisk:1.6.1.14", "cpe:/a:digium:asterisk:1.6.0.21", "cpe:/a:digium:asterisk:1.6.1.13", "cpe:/a:digium:asterisk:1.6.0.8", "cpe:/a:digium:asterisk:1.6.1.2", "cpe:/a:digium:asterisk:1.6.0.6", "cpe:/a:digium:asterisk:1.6.0.22", "cpe:/a:digium:asterisk:1.6.1.8", "cpe:/a:digium:asterisk:1.6.0.10", "cpe:/a:digium:asterisk:1.6.0.2", "cpe:/a:digium:asterisk:1.6.1.11", "cpe:/a:digium:asterisk:1.6.2.1", "cpe:/a:digium:asterisk:1.6.2.0"], "id": "CVE-2010-1224", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1224", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:digium:asterisk:1.6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.7:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.10:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.18:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.0:rc8:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.22:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.15:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.19:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.13:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.16:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.20:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.0:rc6:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.16:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.23:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.10:rc3:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.3:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.16:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.0:rc7:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.18:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.7:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.18:rc3:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.21:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.12:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.10:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:1.6.1.1:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-08-19T13:03:57", "description": "Update to 1.6.1.17 * AST-2010-003: Invalid parsing of ACL rules can compromise security * AST-2010-002: This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers. * AST-2010-001:\nAn attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash occurs when the FaxMaxDatagram field is omitted from the SDP as well.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2010-07-01T00:00:00", "type": "nessus", "title": "Fedora 11 : asterisk-1.6.1.17-1.fc11 (2010-3724)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0441", "CVE-2010-0685", "CVE-2010-1224"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:asterisk", "cpe:/o:fedoraproject:fedora:11"], "id": "FEDORA_2010-3724.NASL", "href": "https://www.tenable.com/plugins/nessus/47325", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2010-3724.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47325);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2010-0441\", \"CVE-2010-0685\", \"CVE-2010-1224\");\n script_bugtraq_id(38047, 38314, 38424);\n script_xref(name:\"FEDORA\", value:\"2010-3724\");\n\n script_name(english:\"Fedora 11 : asterisk-1.6.1.17-1.fc11 (2010-3724)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 1.6.1.17 * AST-2010-003: Invalid parsing of ACL rules can\ncompromise security * AST-2010-002: This security release is intended\nto raise awareness of how it is possible to insert malicious strings\ninto dialplans, and to advise developers to read the best practices\ndocuments so that they may easily avoid these dangers. * AST-2010-001:\nAn attacker attempting to negotiate T.38 over SIP can remotely crash\nAsterisk by modifying the FaxMaxDatagram field of the SDP to contain\neither a negative or exceptionally large value. The same crash occurs\nwhen the FaxMaxDatagram field is omitted from the SDP as well.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=561332\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2010-March/037679.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1bc3d35b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected asterisk package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:asterisk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^11([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 11.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC11\", reference:\"asterisk-1.6.1.17-1.fc11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"asterisk\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
