Asterisk SIP Channel Authentication Bypass (AST-2016-009)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

A telephony application running on the remote host is affected by an
authentication bypass vulnerability.

Description :

According to its SIP banner, the version of Asterisk running on the
remote host is 11.x prior to 11.25.1, 13.x prior to 13.13.1, 14.x
prior to 14.2.1, 11.6 prior to 11.6-cert16, or 13.8 prior to
13.8-cert4. Is it, therefore, affected by an authentication bypass
vulnerability in the chan_sip channel driver when handling the content
between the SIP header name and a colon character due to incorrect
stripping of non-printable ASCII characters. An unauthenticated,
remote attacker can exploit this issue, via a specially crafted
combination of valid and invalid 'To' headers, to cause a proxy to
allow an INVITE request into Asterisk without authentication. This is
because, in situations where Asterisk is placed in tandem with an
authenticating SIP proxy, the proxy will treats the request as an
in-dialog request; however, due to this issue, the request will appear
to be an out-of-dialog request to Asterisk, which will then be
processed as a new call, thus allowing calls from unauthenticated
sources.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

http://downloads.asterisk.org/pub/security/AST-2016-009.html

Solution :

Upgrade to Asterisk version 11.25.1 / 13.13.1 / 14.2.1 / 11.6-cert16 /
13.8-cert4 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 95927 ()

Bugtraq ID: 94789

CVE ID: CVE-2016-9938

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now