]> git.ipfire.org Git - thirdparty/asterisk.git/commit
projects / thirdparty / asterisk.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ce8c34c) | patch
AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
authorRichard Mudgett <rmudgett@digium.com>
Mon, 30 Apr 2018 22:38:58 +0000 (17:38 -0500)
committerRichard Mudgett <rmudgett@digium.com>
Mon, 11 Jun 2018 15:28:32 +0000 (09:28 -0600)
commitf597032e833a4d3e8e710e5b1416ba780f002b8b
tree0016f72b40850e0e15ca4192929f3d56f40b2689tree
parentce8c34c3d19de32e2c4c6902fa62a3cdb4291180commit | diff
AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden.  However, if an endpoint is not identified then a 401
unauthorized response is sent.  This vulnerability just discloses which
requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.

* Made endpoint specific ACL rules now respond with a 401 unauthorized
which is the same as if an endpoint were not identified.  The fix is
accomplished by replacing the found endpoint with the artificial endpoint
which always fails authentication.

ASTERISK-27818

Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
res/res_pjsip/pjsip_distributor.c diff | blob | blame | history
Mirror of https://github.com/asterisk/asterisk.git