Asterisk access rule Remote Security Restriction Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
Asterisk Business Edition C.3.7.4
Asterisk Business Edition C.3.7.3
Asterisk Business Edition C.3.6.4
Asterisk Business Edition C.3.6.3
Asterisk Business Edition C.3.6.2
Asterisk Business Edition C.3.3.2
Asterisk Business Edition C.3.2 3
Asterisk Business Edition C.3.2 2
Asterisk Business Edition C.3.1.0
Asterisk Business Edition C.3.1 1
Asterisk Business Edition
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55335
Cve id: CVE-2012-4737

Asterisk is a free and open-source software that enables the Telephone User Switch (PBX) function.

Asterisk Open Source 1.8.15.1 before 1.8.x, 10.7.1 before 10.x, Certified Asterisk 1.8.11-cert7 before 1.8.11, Asterisk Digiumphones 10.7.1-digiumphones before 10. x. channels/chan_iax2.c in C.3.x versions earlier than x-digiumphones and Asterisk Business Edition C.3.7.6 do not execute ACL rules when using peer-to-peer creden. The Security Restriction Bypass Vulnerability exists, allow authenticated remote users to bypass the target outgoing call restrictions using these creden.

<* Source: Alan Frisch
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Asterisk
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://downloads.asterisk.org/pub/security/